This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques like sandbox evasion, WMI persistence and page substitution. Intended to be able to infect both Windows and Mac OS X Office platforms by implementing platform-detection logic.
Created to make it possibly to simply Paste Payload then Copy & Paste entire macro into phished document.
For list of example Macro generation and usage scenarios one can check out author's gist here:
This is a skeleton code for the malicious Macro that could be used during Penetration Testing assignments (or for education purposes), in order to embed it within Phishing documents as a Microsoft Office macro.
There are following features implemented:
- Platform detection logic (Windows/MacOS X) - All the penetration tester has to do, is to generate both Windows and Mac OS X commands and put them into appropriate macro's functions:
WindowsMalware()
andMacMalware()
- Sandbox detection (Windows) - allowing to exit macro when being scanned
- WMI Subscription persistence (Windows) - allowing to survive system restart
- Social Engineering trick by shape removing - for hiding fake "Enable Content" warning.
- Supporting both MSWORD and EXCEL startup routines
One should definitely feed this script into some kind of Visual Basic obfuscator, like the author's one: VisualBasicObfuscator
The macro's code has been built up from other author's building blocks:
The most essential configuration here is filling up functions like MalwareWindows()
and MalwareMac()
.
One can for instance leverage Empire stager's functionality and obtain two payloads - for:
windows/macro
osx/macro
Then one have to put this way generated macros into aforementioned Malware*()
functions. The penetration tester also can use buil-in primitives like:
ExecuteCommand(command)
ExecuteCommandAndPersist command, startupTaskName
For instance, such modifications to the script could look like:
Private Sub WindowsMalware()
[...]
str = "powershell -noP -sta -w 1 -enc ABCDEFGHIJKLMNOPQ"
str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
' Rest of the powershell command cut for brevity
' [...]
str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
ExecuteCommandAndPersist str, ""
End Sub
Private Sub MacMalware()
[...]
cmd = "abcdefghijlmnopqrstuxwyz012345678990"
cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
' Rest of bash command cut for brevity
' [...]
cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
Dim fullCommand As String
fullCommand = "echo ""import sys,base64;exec(base64.b64decode(\"" " & cmd & " \""));"" | python &"
ExecuteCommandAndPersist fullCommand, ""
Also, there are Const
options documented within code's CONFIGURATION section that are self-explanatory and left to be reviewed by the user.
In order to leverage this feature, one has to prepare a fake "Enable Content" warning message like for instance Microsoft Office compatibility issues, AV scanned flag or something imaginary, and then to create a shape consisting of TextBox (via INSERT -> Shapes... -> TextBox). Then cover the document with this shape. Having that, one has to rename that shape using the path:
(Ribbon -> HOME -> Editing -> Select... -> Selection Pane -> give it a name, like "**warning-div**")
After that, the shape can be further modified to be floating and cover up entire document by clicking:
Right click on shape -> Move selected shape -> then setting up Position and Size to 100%, Left-Top aligned.
Among various Social Engineering shapes that could be used - two of them had been attached to this repository:
- Add OpenOffice platform detection and autorun logic (
OnOpen
), then modify OS detection if's to supportgetGUItype
method offered by OpenOffice. - Add document layout switching functionality, like the original page subsitute function did.
- Implement host reconnaissance and situation exfil functionality
- Refactor the code to make it a bit less detectable by AVs
- Add architecture bitness detection logic and specific payload usage
Add macOS related function for platform indepency- Add macOS X persistence functionality (
MacPersistence()
) in form of for instance per-user LaunchAgents PLIST - Prepare builder-script customizing script's backbone as needed by user and offering instant obfuscation
- Add more Sandbox evasion and avoidance techniques, as documented in pafishmacro, here, here and here
- The routine:
DeleteWarningShape
doesn't support Excel sheets at the moment (ActiveWorkbook
)
The author of this code is not taking any responsibilities of any illegal usage of it. The code had been created solely for Penetration Testing purposes.
This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪
Mariusz Banach / mgeeky, '17
<mb [at] binary-offensive.com>
(https://github.com/mgeeky)