1
00:00:00,240 --> 00:00:02,520
‫Embedding malware into the documents.

2
00:00:03,720 --> 00:00:09,120
‫It's very common for malicious software to be embedded in a widely used document, such as a PDF or

3
00:00:09,120 --> 00:00:09,990
‫office document.

4
00:00:10,320 --> 00:00:15,840
‫Let's look and see what Metasploit Framework has for this purpose in MSFT Shell.

5
00:00:16,320 --> 00:00:19,410
‫And you already know how to open the MSFT shell.

6
00:00:19,830 --> 00:00:23,250
‫Simply type MSFT console in the terminal screen of Carly.

7
00:00:23,460 --> 00:00:28,980
‫If you search for Adobe and PDF, would you see that Metasploit Framework has two exploits to embed

8
00:00:28,980 --> 00:00:30,660
‫a malware into a PDF file?

9
00:00:31,260 --> 00:00:37,320
‫And thankfully, the ranks of the exploits are excellent, which means they will look very good and

10
00:00:37,320 --> 00:00:39,630
‫stable in the ideal circumstances.

11
00:00:40,050 --> 00:00:44,370
‫Of course, you need an appropriate payload for the exploit.

12
00:00:45,890 --> 00:00:51,620
‫When you look at the options of the exploit using show options command, you see that the target of

13
00:00:51,620 --> 00:00:57,830
‫the exploit is Adobe Reader with versions eight or nine, which is running Windows XP Vista or seven

14
00:00:58,370 --> 00:01:00,890
‫when you gather information about the target company.

15
00:01:01,250 --> 00:01:07,100
‫You probably find this information which operating systems are used, which readers are preferred,

16
00:01:07,430 --> 00:01:09,590
‫which versions are used, etc..

17
00:01:10,670 --> 00:01:15,890
‫Suppose that you don't have any clue that the target operating systems and or readers are used in this

18
00:01:15,890 --> 00:01:18,620
‫company, still, isn't it worth it to try?

19
00:01:19,580 --> 00:01:20,810
‫Now is the question.

20
00:01:21,470 --> 00:01:27,710
‫Can you find any device running an old version of operating system and an old version of the reader?

21
00:01:28,250 --> 00:01:29,360
‫Answer is, of course.

22
00:01:30,260 --> 00:01:33,080
‫Do you remember the WannaCry ransomware attacks?

23
00:01:33,590 --> 00:01:40,670
‫The attack affected more than 300000 computers across 150 countries, including the UK's NHS health

24
00:01:40,670 --> 00:01:41,240
‫systems.

25
00:01:42,570 --> 00:01:48,420
‫The malware was using a vulnerability where Microsoft had already released a patch for it two months

26
00:01:48,420 --> 00:01:55,260
‫before the WannaCry attack, but the attack affected hundreds of thousands of computers because they

27
00:01:55,260 --> 00:01:57,480
‫are always out of date.

28
00:01:58,820 --> 00:02:04,130
‫If you could find a few machines that fit these conditions, it might be enough for you to hack the

29
00:02:04,130 --> 00:02:05,270
‫entire company.

30
00:02:06,500 --> 00:02:08,180
‫The next step is to set the options.

31
00:02:10,020 --> 00:02:13,260
‫Set the template PDF file in file name.

32
00:02:13,800 --> 00:02:19,830
‫If you don't, Metasploit Framework will use its own template, set the output PDF, file name, file

33
00:02:19,830 --> 00:02:20,190
‫name.

34
00:02:20,760 --> 00:02:25,350
‫If you don't, Metasploit Framework will name it as Evil Dot PDF.

35
00:02:26,160 --> 00:02:31,380
‫Now, set the options of the payload you choose if you choose a reverse https interpreter and payload

36
00:02:31,380 --> 00:02:37,290
‫like me, set the IP address of the listener L host set the listener port.

37
00:02:37,290 --> 00:02:43,140
‫If you don't want to use the default one L port when you're finished setting your options.

38
00:02:44,500 --> 00:02:47,740
‫You can use, exploit or run commands to generate the file.

39
00:02:48,370 --> 00:02:50,890
‫Now you must bring the file and computer users.

40
00:02:51,190 --> 00:02:55,480
‫I mean, victims together send the file in a phishing email.

41
00:02:55,960 --> 00:02:58,690
‫Copy the file and flash drives and give them as gifts.

42
00:02:59,230 --> 00:03:02,980
‫Write the file in CDs and spread them in the company, if you can.

43
00:03:03,290 --> 00:03:04,120
‫Etc..

44
00:03:05,650 --> 00:03:12,580
‫By merging a malicious PDF with another arbitrary PDF file, you can make it more difficult for anti-virus

45
00:03:12,580 --> 00:03:21,610
‫is to recognize it in the first picture, a windows slash interpreter slash reverse underscore TCP payload

46
00:03:21,610 --> 00:03:25,990
‫embedded PDF file is scanned in VirusTotal dot com.

47
00:03:26,290 --> 00:03:33,490
‫No obfuscation or customization was performed, so 30 of 47 antivirus programs detected it in the second

48
00:03:33,490 --> 00:03:33,760
‫pick.

49
00:03:33,760 --> 00:03:42,250
‫A custom payload using windows slash metaphor to slash reverse underscore HTTP s payload of Metasploit

50
00:03:42,520 --> 00:03:45,850
‫was created by Veille and embedded into the PDF file.

51
00:03:46,180 --> 00:03:52,060
‫17 of 47 antivirus programs detected the malware in the third picture.

52
00:03:52,600 --> 00:03:57,340
‫The document used in the second picture was merged with a clean PDF file.

53
00:03:58,090 --> 00:04:04,450
‫In this time, only 10 of 47 antivirus programs detected the malware.