infected Windows Systems using Malicious Macros

byILIAS KHALIL
0

 Infected Windows Systems using  Malicious Macros



In this article, we will be exploring a total of 6 tools that can craft, encrypt and exploit a Windows Machine using malicious Macros.

What are Macros?

Whenever you are working with an Excel File or Word File for an instance and you want a certain repetitive task that you wish just got automated without your intervention. This was the issue that was faced by the users of the newly built Microsoft Office. Microsoft came to a solution for this by creating what we know as Macros. Macros are quite essentially just Visual Basic Scripts that can be crafted and shared and it works in the background without any knowledge of the user (if enabled.).

Why Macros are Dangerous?

 Now that you get what macros mean in a nutshell, it is not that difficult to wrap your head around the fact that running scripts in the background that can be crafted and altered and shared are bound to used as a way to exploit machines. What attacker does is that they generate a very harmless looking file in the Microsoft Office. Then they open up the Macros Editor and then craft a script that could generate a session form the target user to the attacker. The basic flow is the same for almost all tools. But the techniques that each tool uses in the background are quite different than another.


Empire

To use the Empire on Kali Linux, we need to install Empire Framework on your Attacker Machine. This is a pretty simple process. If you are facing some trouble, then refer to this article. After a successful installation, we will fire up the framework. We checked for the active listeners using the “listeners” command. As we can see that no listeners were running. Now, let’s create one. We created an HTTP Listener. After that, we need to create a stager for that listener that we just created. As our demonstration is based on Macros, we will be using the same for the stager. We will link the listener to the stager and just execute the config. This will create a stager in the “/tmp/macro”.






Moving on to the Target Machine, as we are doing this demonstration in a Lab Environment, it is easier to execute the following steps. We take a Normal Excel File and enter some data into it. Then we click on the “VIEW” Tab. In this tab, we will be selecting the Macros Option.





Clicking on the Macros will open up a small window as depicted in the image given below. Here, we are asked for the name of the Macro. This can be anything you want. After entering the name, click on the Create button to get started.



Here we have a blank module in which we can draft a Macro. We went back to our Kali Machine and copied the code that was generated by the Empire. Then Pasted the contents of that macro file into this blank module as shown in the image given below.




After pasting the code, we choose the Save As option from the menu. It opens up a window. In this window, we name the file and We choose Excel Macro-Enabled Workbook as shown in the image given below.  We click the Save button after filling in the necessary details.





Back in earlier days, this was all that is need to do. But seeing the rise in the Macro related attacks in the normal Office Environment, Microsoft has added some more verification on the User End to stop some attacks. Now we open a new Excel Workbook. We choose the “File” tab. In this tab, we Click the Options Section as shown in the image given below.

Clicking the Options Section will open a small window as shown in the image given below. Now the left-hand side menu of this window, there is a section called Trust Center. We opened it to find some privacy and security related settings. Here, we have a subsection called “Microsoft Excel Trust Center”, we open its settings by clicking the “Trust Center Settings” button




This opens up another window, Here we have a section called Macro Settings. We click on it. It gives us a total of 4 Macro policies each one against a radio button. We have the “Disable all macros with notification” policy selected by default. We change it to “Enable all macros” policy and close the window.






Now we open our Workbook that has the malicious macros injected in it. It opens up without any hindrance or warnings or prompts. We went back to our attacker machine and check the Empire to find that one of our agent is active. We used the agents command to take a look. Here we see that we have an agent. We tried to access the agent using the interact command. This was the procedure that needs to be followed if we want to exploit a target using the combination of Empire and Macros.







Magic Unicorn

It’s time to check another tool that could help us compromise the target using the macros. For this practical, we use the Unicorn Tool. For a more detailed guide on the Unicorn tool, check out this awesome guide. The payload creation in the unicorn is quite simple. We will have to state the payload as we would in crafting payload using MSFvenom. Then, we need to provide the IP Address and the port at which the session would generate and provide the macro keyword as depicted below.






But when we move back to our attacker machine, we see that our payload has generated a meterpreter shell on the Target Machine. We can access this meterpreter session using the sessions command followed by the session id as shown in the image given below.



Mitigations


  • Microsoft Office Macros should be disabled in the organization.
  • Enable the Feature to block the macros in the documents that originate from the internet. [Office 2016, Office 365]
  • If the usage of macros is unavoidable, only enable the users or groups that absolutely need to use the capabilities of the macro.
  • Allowing only signed macros can also reduce the number of attacks that could be successful.
  • Use the Trusted Locations feature of the Microsoft Office Trust Centre. This means only the settings configured at the Trusted Location will be in action regardless of the local configurations.

Post a Comment

Previous Post Next Post