Discover and read the best of Twitter Threads about #vbalostarts
Most recents (4)
Todays #VBALostArts Topic: #Sandbox Detection
So a few hours ago I whipped up a super basic Office #malware whose goal was to extract as much info from sandboxes as possible and send it in the clear so you can gather all the configurations of the sandbox.
I named it Thumper
So a few hours ago I whipped up a super basic Office #malware whose goal was to extract as much info from sandboxes as possible and send it in the clear so you can gather all the configurations of the sandbox.
I named it Thumper
Thumper does 4 things:
- Built In Office/VBA Info Gathering
- Registry Reading (USER & LM)
- RecentFiles Methods
- Shoots results via HTTP (so you can see)
It does this (by design) with the elegance of a herd of drunken water buffaloes dancing to Russian hard bass in a tea shop.
- Built In Office/VBA Info Gathering
- Registry Reading (USER & LM)
- RecentFiles Methods
- Shoots results via HTTP (so you can see)
It does this (by design) with the elegance of a herd of drunken water buffaloes dancing to Russian hard bass in a tea shop.
As the reference to the name, it's meant to call the sandworms hidding in the dunes.
And if you want to detect and avoid almost all of the sandboxes - easiest way is to check the DateTime stamps of RecentFile methods of Word.
Like This:
And if you want to detect and avoid almost all of the sandboxes - easiest way is to check the DateTime stamps of RecentFile methods of Word.
Like This:
Gather round #infosec fam
Warning: This is a long Thread with lots of #VBALostArts & new goodies for #c2c #opsec & #payloads in Office Malware #VBA
Spoilers: This thread is gonna make some Blue Teams & sandboxes mad
Red Teams: There is plenty of fun up ahead.
Enjoy.
Warning: This is a long Thread with lots of #VBALostArts & new goodies for #c2c #opsec & #payloads in Office Malware #VBA
Spoilers: This thread is gonna make some Blue Teams & sandboxes mad
Red Teams: There is plenty of fun up ahead.
Enjoy.
Currently Office Malware is 3 steps generally:
1. Encrypt/Obfuscate Your #Macro Dropper
2. Get Your Powershell/Java/JS/DLL flavor of the week onto the victim ASAP
3. Bug out
I want to change all of this, however before we do that we need to upgrade Office Malware
1. Encrypt/Obfuscate Your #Macro Dropper
2. Get Your Powershell/Java/JS/DLL flavor of the week onto the victim ASAP
3. Bug out
I want to change all of this, however before we do that we need to upgrade Office Malware
For now lets focus on the first step and why obfuscating/encrypting your macros not ideal.
1. Your code will eventually get deobfuscated
2. Your code is not unique - same sample <-> many targets
3. Most obfuscation methods = Noise/Signatures
4. Your code becomes evidence
1. Your code will eventually get deobfuscated
2. Your code is not unique - same sample <-> many targets
3. Most obfuscation methods = Noise/Signatures
4. Your code becomes evidence
So for today's lesson in C2C for #VBA I will be discussing abusing the AddWebVideo method.
This feature is literally for (surprise) adding videos inside documents.
However it is one of the most overlooked ways to implement C2C or exfil
#VBALostArts
This feature is literally for (surprise) adding videos inside documents.
However it is one of the most overlooked ways to implement C2C or exfil
#VBALostArts
AddWebVideo has 3 parameters that are partial to abuse for C2C and exfil (among other things).
EmbedCode, PosterFrameImage, and URL being the ones we are interested.
However they each have their own behavior and benefits.
EmbedCode, PosterFrameImage, and URL being the ones we are interested.
However they each have their own behavior and benefits.
Starting off with EmbedCode this variable accepts HTML content that is to be rendered within MS Office
So using EmbedCode you can trigger a HTTP[s] connection to your C2C Server as well as store some HTML (more on that in the future)
Something like this gets the job done:
So using EmbedCode you can trigger a HTTP[s] connection to your C2C Server as well as store some HTML (more on that in the future)
Something like this gets the job done:
Lets talk about alternative methods to communicate with VBA based malware back to C2C.
So the majority of the samples will use Win32/Native API COM to do HTTP[S] back to C2C.
There are plenty of ways of doing it without these ways.
So the majority of the samples will use Win32/Native API COM to do HTTP[S] back to C2C.
There are plenty of ways of doing it without these ways.
One of the more interesting features of modern office has been embracing XML datasets for document content.
This allows communication to be achieved using built in Smart objects and XMLNodes
These ones would be an example
This allows communication to be achieved using built in Smart objects and XMLNodes
These ones would be an example
Another especially nice method would be OLE objects, which source object can be over HTTP when using AddOLEObject method.
