Discover and read the best of Twitter Threads about #VBALostArts

Most recents (4)

Todays #VBALostArts Topic: #Sandbox Detection

So a few hours ago I whipped up a super basic Office #malware whose goal was to extract as much info from sandboxes as possible and send it in the clear so you can gather all the configurations of the sandbox.

I named it Thumper
Thumper does 4 things:
- Built In Office/VBA Info Gathering
- Registry Reading (USER & LM)
- RecentFiles Methods
- Shoots results via HTTP (so you can see)

It does this (by design) with the elegance of a herd of drunken water buffaloes dancing to Russian hard bass in a tea shop.
As the reference to the name, it's meant to call the sandworms hidding in the dunes.

And if you want to detect and avoid almost all of the sandboxes - easiest way is to check the DateTime stamps of RecentFile methods of Word.

Like This: Image
Read 8 tweets
Gather round #infosec fam

Warning: This is a long Thread with lots of #VBALostArts & new goodies for #c2c #opsec & #payloads in Office Malware #VBA

Spoilers: This thread is gonna make some Blue Teams & sandboxes mad

Red Teams: There is plenty of fun up ahead.

Enjoy.
Currently Office Malware is 3 steps generally:

1. Encrypt/Obfuscate Your #Macro Dropper
2. Get Your Powershell/Java/JS/DLL flavor of the week onto the victim ASAP
3. Bug out

I want to change all of this, however before we do that we need to upgrade Office Malware
For now lets focus on the first step and why obfuscating/encrypting your macros not ideal.

1. Your code will eventually get deobfuscated
2. Your code is not unique - same sample <-> many targets
3. Most obfuscation methods = Noise/Signatures
4. Your code becomes evidence
Read 18 tweets
So for today's lesson in C2C for #VBA I will be discussing abusing the AddWebVideo method.

This feature is literally for (surprise) adding videos inside documents.

However it is one of the most overlooked ways to implement C2C or exfil

#VBALostArts
AddWebVideo has 3 parameters that are partial to abuse for C2C and exfil (among other things).

EmbedCode, PosterFrameImage, and URL being the ones we are interested.

However they each have their own behavior and benefits. Image
Starting off with EmbedCode this variable accepts HTML content that is to be rendered within MS Office

So using EmbedCode you can trigger a HTTP[s] connection to your C2C Server as well as store some HTML (more on that in the future)

Something like this gets the job done: Image
Read 9 tweets
Lets talk about alternative methods to communicate with VBA based malware back to C2C.

So the majority of the samples will use Win32/Native API COM to do HTTP[S] back to C2C.

There are plenty of ways of doing it without these ways.
One of the more interesting features of modern office has been embracing XML datasets for document content.

This allows communication to be achieved using built in Smart objects and XMLNodes

These ones would be an example Image
Another especially nice method would be OLE objects, which source object can be over HTTP when using AddOLEObject method. Image
Read 9 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!