1
00:00:00,630 --> 00:00:07,080
Just like embedding a malicious code into a PDF file, you can easily embed a malicious macro code into

2
00:00:07,080 --> 00:00:09,720
an EMS office document such as an s word.

3
00:00:10,720 --> 00:00:16,630
To create a malicious word document, we should prepare a macro code and the payload, which is used

4
00:00:16,630 --> 00:00:17,500
by the macro.

5
00:00:20,730 --> 00:00:27,450
Let's prepare a malicious word document using the Métis Void Framework and Vayle framework, the steps

6
00:00:27,450 --> 00:00:28,950
of this example will be.

7
00:00:29,980 --> 00:00:37,150
Creating a malicious executable, converting the malware into a macro code which is ready to be embedded

8
00:00:37,150 --> 00:00:38,380
into an office document.

9
00:00:39,540 --> 00:00:41,190
Creating the office document.

10
00:00:42,360 --> 00:00:50,880
Embedding the script code is a macro and concatenating the payload as text, starting a listener to

11
00:00:50,880 --> 00:00:54,570
listen to the sessions of the victims who opened the office document.

12
00:00:55,640 --> 00:00:57,500
Opening the document is a victim.

13
00:00:59,660 --> 00:01:02,060
Collecting the session as the attacker.

14
00:01:02,720 --> 00:01:06,650
Now let's do it first, create a malicious executable using Vayle.

15
00:01:06,800 --> 00:01:09,680
I'll take it faster now because we've already done this before.

16
00:01:10,250 --> 00:01:16,850
Remember, please refer to our creating custom payloads with Vayle Lecture Chew's list in the main menu

17
00:01:17,480 --> 00:01:17,900
type.

18
00:01:17,900 --> 00:01:22,370
Use one to use evasion tool type list to list available payloads.

19
00:01:23,150 --> 00:01:24,740
Let's use payload 27.

20
00:01:25,780 --> 00:01:28,090
Setting the listener host is enough at the minimum.

21
00:01:34,830 --> 00:01:38,790
And generate give the name initials for the outpost files.

22
00:01:40,640 --> 00:01:42,980
Choose the executable creation method.

23
00:01:52,180 --> 00:01:55,510
OK, malicious, executable is created.

24
00:01:56,590 --> 00:02:01,570
Let's test our malware to see if it's working, transfer the file to the victim machine.

25
00:02:02,140 --> 00:02:04,770
Now here I have a Windows eight system as victim.

26
00:02:05,350 --> 00:02:08,710
I'm going to use the win capital to transfer the file.

27
00:02:09,220 --> 00:02:12,010
And of course, we have to find a reasonable way to do it.

28
00:02:12,400 --> 00:02:14,820
Phishing, malicious website, visit, et cetera.

29
00:02:16,070 --> 00:02:19,750
Copy the malware into the SSA, choose your home folder for ease of use.

30
00:02:27,920 --> 00:02:29,690
Run win SICP.

31
00:02:33,430 --> 00:02:34,930
Connected to the Caleigh machine.

32
00:02:45,380 --> 00:02:47,720
And transfer the file to the Windows desktop.

33
00:02:59,590 --> 00:03:06,970
Start a handler to collect the session, go to Caleigh and start the MSF console with the Dasha parameter

34
00:03:07,300 --> 00:03:09,760
and use the RC file produced by Vayle.

35
00:03:20,490 --> 00:03:22,380
Handlers started is at the background.

36
00:03:23,440 --> 00:03:30,130
With the session dash l command, we see that no session is in progress at the moment, run the malicious

37
00:03:30,130 --> 00:03:35,380
executable in the Windows system, we now have a valid session of the Windows system.

38
00:03:35,950 --> 00:03:40,660
Use the sessions dashi session ID command to interact with the session.

39
00:03:42,220 --> 00:03:44,710
Our malware is working like a charm.

40
00:03:45,920 --> 00:03:50,600
Now, let's kill the session for now, because this was just a test of the malware is working well.

41
00:03:51,630 --> 00:03:56,100
Sessions Kay, Uppercase K will kill all the open sessions.

42
00:03:57,320 --> 00:04:01,230
Now we'll create a visual basic script using our malicious executable file.

43
00:04:02,000 --> 00:04:08,810
We're in the Calli machine, so find the location of the exact two VBA script using Locate Command in

44
00:04:08,810 --> 00:04:09,260
Linux.

45
00:04:16,380 --> 00:04:17,400
Go to the folder.

46
00:04:23,670 --> 00:04:29,550
And Ron Exacta Vrba Ruby script, the script needs to parameters to run.

47
00:04:31,970 --> 00:04:36,920
First, the malicious executable with full path, which will be converted to a macro code.

48
00:04:41,940 --> 00:04:44,400
Second, the name of the output file.

49
00:04:56,660 --> 00:05:04,370
The script is created, now is the time to create the malware embedded word document, go to the Windows

50
00:05:04,370 --> 00:05:10,850
machine, which is the system of the victim, and transfer the micro file using wind SICP.

51
00:05:12,640 --> 00:05:19,060
Let's open the Dot Vrba file using a notepad, I'm using notepad plus plus for this purpose because

52
00:05:19,060 --> 00:05:26,110
the dot VBA file is a bit big and notepad plus plus has a much better memory management than the native

53
00:05:26,110 --> 00:05:27,940
notepad application in Windows.

54
00:05:29,780 --> 00:05:32,170
There are two parts in the dark VBA file.

55
00:05:32,720 --> 00:05:38,570
First part is the McKerracher, second part is the payload that will be used by the macro to create

56
00:05:38,570 --> 00:05:39,980
the Metro Aperture Session.

57
00:05:41,660 --> 00:05:47,870
Now, start using my word and create a new word document, by the way, do you wonder why I use Windows

58
00:05:47,870 --> 00:05:49,310
eight, an office 2013?

59
00:05:49,940 --> 00:05:52,700
Because I have their licenses and no others.

60
00:06:01,160 --> 00:06:09,560
Create a macro under view, tab, select macro's, view macros, give a name and click the create button.

61
00:06:11,330 --> 00:06:17,310
I'm using the word application of office 2013, if you use a different version, your menus might differ.

62
00:06:17,810 --> 00:06:19,850
Please Google it to find the location.

63
00:06:20,880 --> 00:06:27,210
Open our doors, Vrba file and copy the macro code part and paste it into macro code page.

64
00:06:34,480 --> 00:06:36,490
Save the changes and close the page.

65
00:06:37,430 --> 00:06:41,270
And we have malicious macro codes inside the document.

66
00:06:42,360 --> 00:06:45,000
Now, we still have to embed the payload into the document.

67
00:06:50,950 --> 00:06:54,550
Go to the DOT, VBA file, copy payload data part.

68
00:07:05,730 --> 00:07:11,530
And pasted into the word document, we have quite a big payload, and I confess it's bigger than I expected.

69
00:07:11,940 --> 00:07:18,060
This is because we used Vail to create a custom malware and we chose interpretor, which is a complex

70
00:07:18,060 --> 00:07:18,290
one.

71
00:07:19,140 --> 00:07:20,770
Wait until the paste is finished.

72
00:07:20,790 --> 00:07:22,880
It could take 15 to 20 seconds.

73
00:07:24,200 --> 00:07:26,480
To make the documents seem like a regular document.

74
00:07:30,520 --> 00:07:33,520
You can shrink the font size, for example, make it one.

75
00:07:38,340 --> 00:07:41,640
And you can make the font color of the payload white.

76
00:07:44,710 --> 00:07:45,880
Then save the file.

77
00:07:55,090 --> 00:07:59,500
To succeed in this attack, Ms word application has to be configured to run macro codes.

78
00:07:59,950 --> 00:08:07,090
In MS word, all macros are disabled by default, so you have to convince the victim to enable the macros

79
00:08:07,090 --> 00:08:07,590
as well.

80
00:08:08,980 --> 00:08:11,290
In file menu, select options.

81
00:08:12,460 --> 00:08:21,370
Select Trust Center, Click Trust Center settings, button and tick enable all macro's option, click

82
00:08:21,370 --> 00:08:23,330
OK at the lower right corner.

83
00:08:23,830 --> 00:08:26,440
Now we have a macro enabled MS word.

84
00:08:30,080 --> 00:08:32,150
Be sure the handler is running at the moment.

85
00:08:35,610 --> 00:08:40,470
Opened the word document we created, it may take some time because the document is a big one.

86
00:08:52,570 --> 00:08:53,590
Wait a few seconds.

87
00:09:00,090 --> 00:09:02,310
You have a new session for the victims system.

88
00:09:04,040 --> 00:09:05,330
Congratulations.