AddWebVideo has 3 parameters that are partial to abuse for C2C and exfil (among other things).
EmbedCode, PosterFrameImage, and URL being the ones we are interested.
However they each have their own behavior and benefits.
Starting off with EmbedCode this variable accepts HTML content that is to be rendered within MS Office
So using EmbedCode you can trigger a HTTP[s] connection to your C2C Server as well as store some HTML (more on that in the future)
Something like this gets the job done:
The second parameter that can be abused is PosterFrameImage, and is likely the best candidate for today's topic on C2C abuse and exfil.
This will grab a image from a remote resource download it and then store it within the document as a place holder for the pre-rendered video
Using Fiddler we can see these requests to the Youtube resources I used in the examples:
This is nearly identical to the yesterday's example complete with inaccurate Word version in the request.
Url parameter acts similarly to the PosterFrameImage parameter.
However there are some small but interesting details that make the image option much better - I will come back to that in the future.
So what can you do with these embedded videos for c2c you ask?
Well, one nice feature is the embedded videos are not blocked by macros - so they can be used to instruct users to disable macros.
Enabling macros would then execute code to change the video.
Changing the video by modifying the Hyperlink object's Address property and then executing them via the Follow method will actually execute a full browser execute on a URL (outside Word).
This could be used by C2C to confirm delivery and to set phase 2 of VBA code.
In a future discussion I will discuss how successful VBA malware & pentesting tools need to be multi-phase to evade analysis & forensics.
so TLDR; of this thread abusing VBA code to make HTTP[S] requests via Word itself without calling Win32 or VBA HTTP code to evade detection
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I have now heard of 2 extortion attempts originating from the AI girlfriend site Muah breach.
Both victims are devs & they received emails with credible data to confirm they have seen their sensitive content
One requested the victim give them VPN access
A 🧵
Security teams should be aware of sensitive breaches like this - as this can now jeopardize their entire company
Work with your team to put in place work place awareness and a safe place to have employees report extortion.
Extortions at this stage can also include false accusations - an attacker could easily put out content to make a victim seem like they were an individual in the dump even though they weren't.
They can use this to attack someone's reputation and use it for leverage as well.
Since I'm 6 drinks in for 20 bucks, let me tell you all about the story of how the first Microsoft Office 2007 vulnerability was discovered, or how it wasn't.
This was a story I was gonna save for a book but fuck it, I ain't gonna write it anyways.
So my first month at working at eEye in late 2006 good ol Microsoft announced Office 2007.
They said they added a shit ton of security including safe int, sandboxing, code analysis, and malformed doc detection.
I told my boss I was gonna break it.
So I started fuzzing by hand
I'm the kind of sicko who can open a Microsoft office document in a hex editor and start telling you what it is all about just by scrolling down.
I have spent an embarrassing amount of time looking at BIFF format in a hex editor, trust me it's nothing special
A 🧵I wanted to share one of my more recent successful red team campaigns so others can test & tabletop
The client, like many others recently, implemented an approved internal AI interface for code questions and searches
This was essentially a wrapped chatGPT UI + file search
The site was 3rd party developed and has several implementations before rolling out in stages to all departments
For this scenario the goal was to compromise a separate dev and finance team with limited access in order to gain access to the production environment and financials
The attack first created a spoofed Google cloud and email to appear similar to the 3rd party company who used this service.
At this point a spoofed email was sent to several junior developers and low level HR people on the target teams posing as the AI portal dev team.
It's 11pm and the VC bros next to me are starting a company and are gonna roll out WordPress as their CRM, and they think they can manage it themselves with a Microsoft Azure cloud and MongoDB. None of them have admin experience
💀💀💀💀
This is at a hotel bar
They are in the carbon footprint reduction industry, I have no clue wtaf that involves but it sounds like a lot of cold calling and selling people materials from what I heard
Guys they are discussing WordPress security and how one is their previous companies had to wipe everything "because a baddie broke their WordPress and shit"
Are these your sandboxes leaking out information that allows attackers to visibly fingerprint your environment and evade analysis?
This 🧵is a deep dive into this method and why I find it relatively primitive yet, elegant & efficient as a sandbox system bypass.
For those watchful eyes, they might have noticed the leaked information in the above screenshot is XML format of the entire system settings.
How much settings? 118,000 bytes worth detailing everything from Hardware, Firmware, BIOS, manufacturers, PNP devices, printers etc.
This information comes from Microsoft Windows System Assessment Tool aka WinSAT. It has been implemented since Windows Vista and can be read all about here:
PSA In the last week I have seen 3 examples of a relatively new strategy targeting telcos & iPhones of victims
With the increased measures against SIM Swapping, it seems attackers are switching over to 2 other methods to compromise phones
- Call Forwarding
- Parental Tools
Both attacks are similar in which attackers (likely related to Lazarus) are either social engineering telcos or using an insider at these companies to conduct these attacks.
In all of these cases it was leading up to ATO of iCloud and/or password managers
The call forwarding attack is relatively straight forward:
Attacker calls in telco and social engineers the operator to convince the agent to switch a line to call forwarding because of vacation.
The attacker then forwards the number to a VOIP number they control