1
00:00:00,240 --> 00:00:02,550
Embedding malware into the documents.

2
00:00:03,690 --> 00:00:09,480
It's very common for malicious software to be embedded in a widely used document such as a PDF or office

3
00:00:09,480 --> 00:00:10,020
document.

4
00:00:10,320 --> 00:00:15,860
Let's look and see what Métis framework has for this purpose in MSF Shell.

5
00:00:16,290 --> 00:00:23,250
And you already know how to open the MSF shell simply type MSF console in the terminal screen of Calli.

6
00:00:23,430 --> 00:00:29,010
If you search for Adobe in PDF words, you see that Métis fluked framework has two exploits to embed

7
00:00:29,010 --> 00:00:30,690
a malware into a PDF file.

8
00:00:31,230 --> 00:00:37,950
And thankfully the ranks of the exploits are excellent, which means they will work very good and stable

9
00:00:37,950 --> 00:00:39,660
in the ideal circumstances.

10
00:00:40,000 --> 00:00:44,400
Of course, you need an appropriate payload for the exploit.

11
00:00:45,890 --> 00:00:51,650
When you look at the options of the exploit using show options command, you see that the target of

12
00:00:51,650 --> 00:00:57,850
the exploit is Adobe Reader with versions eight or nine, which is running Windows XP, Vista or seven.

13
00:00:58,340 --> 00:01:04,550
When you gather information about the target company, you probably find this information which operating

14
00:01:04,550 --> 00:01:09,620
systems are used, which readers are preferred, which versions are used, et cetera.

15
00:01:10,640 --> 00:01:15,920
Suppose that you don't have any clue that the target operating systems and or readers are used in this

16
00:01:15,920 --> 00:01:18,600
company still, isn't it worth it to try?

17
00:01:19,580 --> 00:01:20,840
Now is the question.

18
00:01:21,500 --> 00:01:27,740
Can you find any device running an old version of operating system and an old version of the reader?

19
00:01:28,250 --> 00:01:29,380
Answer is, of course.

20
00:01:30,290 --> 00:01:33,110
Do you remember the want to cry ransomware attacks?

21
00:01:33,590 --> 00:01:40,700
The attack affected more than 300000 computers across 150 countries, including the UK's NHS health

22
00:01:40,700 --> 00:01:41,270
systems.

23
00:01:42,540 --> 00:01:48,420
The malware was using a vulnerability where Microsoft had already released a patch for it two months

24
00:01:48,420 --> 00:01:55,290
before the want to cry attack, but the attack affected hundreds of thousands of computers because they

25
00:01:55,290 --> 00:01:57,500
are always out of date.

26
00:01:58,790 --> 00:02:04,130
If you could find a few machines that fit these conditions, it might be enough for you to hack the

27
00:02:04,130 --> 00:02:05,270
entire company.

28
00:02:06,470 --> 00:02:08,210
The next step is to set the options.

29
00:02:09,990 --> 00:02:16,620
Set the template PDF file in filename, if you don't, Métis split framework will use its own template,

30
00:02:17,370 --> 00:02:20,210
set the output PDF file name, file name.

31
00:02:20,730 --> 00:02:25,420
If you don't need a separate framework, will name it as evil dot pdf.

32
00:02:26,130 --> 00:02:31,950
Now set the options of the payload you choose if you choose reverse https interpreter payload like me

33
00:02:32,850 --> 00:02:37,320
set the IP address of the listener l'Est set the listener port.

34
00:02:37,320 --> 00:02:43,140
If you don't want to use the default one airport when you're finished setting your options.

35
00:02:44,470 --> 00:02:47,770
You can use, exploit or run commands to generate the file.

36
00:02:48,370 --> 00:02:50,980
Now you must bring the file and computer users.

37
00:02:51,190 --> 00:02:57,940
I mean victims together send the file in a phishing email, copy the file and flash drives and give

38
00:02:57,940 --> 00:03:04,150
them as gifts, write the file and CDs and spread them in the company if you can, etc..

39
00:03:05,650 --> 00:03:12,620
By merging a malicious PDF with another arbitrary PDF file, you can make it more difficult for antivirus

40
00:03:12,620 --> 00:03:20,970
is to recognize it in the first picture, a windows slash mateparae to slash reverse underscore TCP

41
00:03:20,980 --> 00:03:26,020
payload embedded PDF file is scanned in virus total dot com.

42
00:03:26,260 --> 00:03:33,520
No obfuscation or customization was performed, so 30 of 47 antivirus programs detected it in the second

43
00:03:33,520 --> 00:03:33,790
pick.

44
00:03:33,790 --> 00:03:40,300
A custom payload using windows slash interpretor slash reverse underscore htp.

45
00:03:40,300 --> 00:03:45,880
S payload of Métis Voit was created by Vayle and embedded into the PDF file.

46
00:03:46,150 --> 00:03:52,080
17 of 47 antivirus programs detected the malware in the third picture.

47
00:03:52,570 --> 00:03:57,370
The document used in the second picture was merged with a clean PDF file.

48
00:03:58,060 --> 00:04:04,450
In this time, only 10 of 47 antivirus programs detected the malware.