Lets talk about alternative methods to communicate with VBA based malware back to C2C.
So the majority of the samples will use Win32/Native API COM to do HTTP[S] back to C2C.
There are plenty of ways of doing it without these ways.
One of the more interesting features of modern office has been embracing XML datasets for document content.
This allows communication to be achieved using built in Smart objects and XMLNodes
These ones would be an example
Another especially nice method would be OLE objects, which source object can be over HTTP when using AddOLEObject method.
This method will do the following actions when given a remote HTTP path as an object path.
Outbound DNS to Resolve Domain
HTTP OPTIONS Request
HTTP HEAD Request
HTTP GET Request
The interesting parts are the contents of the HTTP request for this particular method:
For your C2 you can absolutely use this as a valid call back check in your code to confirm execution, hand off a UniqueID, and it will even accept cookies if you want some further options.
However the interesting fact here is the User-Agent report:
Microsoft Office Word 2014 is Mac, and this was being used from Latest Microsoft Office Word for Windows.
Seems like some code reuse in play there and forgot to update the versioning ;)
Many people forget that Office has a full fledged browser inside of it and you can ingest and manipulate XML and other web based content within Office (Hence browser bugs being patched in Office).
However using these features to gain C2C and alt communication is under used.
I will add the tag #VBALostArts to this thread for documentation purposes.
And the code to start this kind of behavior is a simple one liner:
I will leave the handling of error messages and dialog boxes as an exercise for the reader
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.