Malicious Macros

    In order to defend against attacks, you have to understand the attack vectors and weigh the risks.  A meterpreter shell generated into an .exe file with msfvenom won't make it through email and if it somehow did manage to make its way to a desktop, it would immediately get gobbled up by the antivirus software.  I know this for a fact because I've generated said payload and dropped it onto a desktop.  I'm not worried about .exe files.  On the other hand, I consider Microsoft Office documents a potential risk.  

    I can block .exe files but I cannot block Microsoft Office documents without angering the masses.  With that in mind, what's the exposure?  Depends on the users, no?  The sender is also a factor. 

    If a Nigerian Prince sends an Excel doc with Macros, I'm confident that most, if not all, of the users will think twice.  But if someone spoofs an email from the CEO, we've ventured into different territory.  

    There are a number of ways to go about creating such a document but Magic Unicorn makes it (too?) easy.  

    First, we generate our macro payload:

    The generated payload is in the text file. 

    Depending on how you edit this file, you might not get the entire contents of this file.  Easiest thing to do is "cat" the file.  Make sure you grab the "End Sub" which ends up behind the prompt.

    Enable the "Developer" menu item on Excel.  

    We're going to create a Macro with the name "Auto_Open".

    Remove any text from the empty macro and dump the contents of powershell_attack.txt into the body.  

    Because I started with an xlsx file, I'm receiving the above message.  We're going to select No and....

    ... we're going to save as a .xlsm file.  Now we're going to email, drop, or whatever, to get this file to our victim machine.

    Next, we're going to launch the document on our victim machine:

    Unless you live in a vacuum, you've seen the above message.  It's so ubiquitous that I doubt this raises any warning flags whatsoever.  

    Conversely, this macro message raises all sorts of flags with me.  But in the context of a message coming from the CEO, would this get clicked???

    The real beauty of generating this in Magic Unicorn is this message above.  I don't know if you were paying attention but this message was part of our macro.   Not that you couldn't do this on your own but it was a really nice touch. 

    Moving on -- the document is opened, the macros are enabled, and the document crashes with this warning message.  Behind the scenes, a meterpreter shell....

    This is a fully patched Windows 7 machine with current and updated anti-virus.  

    Naysayers will argue that they, or their users, wouldn't fall for this vector.  I would first point out that Magic Unicorn wouldn't exist if this wasn't a solid attack vector.  I would also point out that circumstances are everything.  If I dropped a handful of thumb drives in the parking lot, or in the lobby, with an Excel spreadsheet with one of the following titles...


    ... what's my success rate? 

    I like my odds.  

    © 2020