1
00:00:00,600 --> 00:00:07,050
‫Just like embedding a malicious code into a PDF file, you can easily embed a malicious macro code into

2
00:00:07,050 --> 00:00:09,690
‫an MS office document, such as as word.

3
00:00:10,720 --> 00:00:16,600
‫To create a malicious word document, we should prepare a macro code and the payload, which is used

4
00:00:16,600 --> 00:00:17,470
‫by the macro.

5
00:00:20,730 --> 00:00:27,420
‫Let's prepare a malicious word document using the Metasploit Framework and Veil Framework, the steps

6
00:00:27,420 --> 00:00:28,950
‫of this example will be.

7
00:00:29,980 --> 00:00:37,120
‫Creating a malicious executable, converting the malware into a macro code which is ready to be embedded

8
00:00:37,120 --> 00:00:38,320
‫into an office document.

9
00:00:39,540 --> 00:00:41,160
‫Creating the office document.

10
00:00:42,390 --> 00:00:50,850
‫Embedding the script code is a macro and concatenating the payload as text, starting a listener to

11
00:00:50,850 --> 00:00:54,570
‫listen to the sessions of the victims who open the office document.

12
00:00:55,670 --> 00:00:57,530
‫Opening the document is a victim.

13
00:00:59,690 --> 00:01:06,290
‫Collecting the session as the attacker, now let's do it first, create a malicious executable using

14
00:01:06,290 --> 00:01:06,650
‫veil.

15
00:01:06,830 --> 00:01:09,680
‫I'll take it faster now because we've already done this before.

16
00:01:10,100 --> 00:01:14,390
‫Do remember, please refer to our creating custom payloads with veil lecture.

17
00:01:15,350 --> 00:01:17,850
‫Choose List in the main menu type.

18
00:01:17,870 --> 00:01:22,340
‫Use one to use evasion tool type list to list available payloads.

19
00:01:23,150 --> 00:01:24,680
‫Let's use payload 27.

20
00:01:25,810 --> 00:01:28,060
‫Setting the listener host is enough at the minimum.

21
00:01:34,860 --> 00:01:38,760
‫And generate give the name initials for the outpost files.

22
00:01:40,610 --> 00:01:42,950
‫Choose the executable creation method.

23
00:01:52,240 --> 00:01:52,780
‫OK.

24
00:01:53,260 --> 00:01:55,450
‫Malicious executable is created.

25
00:01:56,620 --> 00:01:58,960
‫Let's test our malware to see if it's working.

26
00:01:59,440 --> 00:02:02,590
‫Transfer the file to the victim machine here.

27
00:02:02,590 --> 00:02:08,690
‫I have a Windows eight system as victim, I'm going to use the win as a tool to transfer the file.

28
00:02:09,250 --> 00:02:11,980
‫And of course, we have to find a reasonable way to do it.

29
00:02:12,370 --> 00:02:14,800
‫Phishing, malicious website, visit, etc..

30
00:02:16,070 --> 00:02:19,730
‫Copy the malware into the SSA, choose your home folder for ease of use.

31
00:02:27,920 --> 00:02:29,660
‫Run win FCP.

32
00:02:33,430 --> 00:02:34,930
‫Connect to the Cali machine.

33
00:02:45,410 --> 00:02:47,660
‫And transfer the file to the Windows desktop.

34
00:02:59,590 --> 00:03:01,660
‫Start a handler to collect the session.

35
00:03:02,620 --> 00:03:09,760
‫Go to Carly and start the MSV console with the d'assurer parameter and use the RC file produced by Vale.

36
00:03:20,520 --> 00:03:22,380
‫Handler started is at the background.

37
00:03:23,440 --> 00:03:28,390
‫With the session Dash L Command, we see that no session is in progress at the moment.

38
00:03:29,110 --> 00:03:31,930
‫Run the malicious executable in the Windows system.

39
00:03:32,380 --> 00:03:35,350
‫We now have a valid session of the Windows system.

40
00:03:35,950 --> 00:03:40,660
‫Use the session's Dash II Session ID Command to interact with the session.

41
00:03:42,250 --> 00:03:44,680
‫Our malware is working like a charm.

42
00:03:45,920 --> 00:03:50,600
‫Now, let's kill the session for now, because this was just a test if the malware is working well.

43
00:03:51,630 --> 00:03:56,070
‫Sessions, Dash K Uppercase K will kill all the open sessions.

44
00:03:57,320 --> 00:04:01,220
‫Now we'll create a visual basic script using our malicious executable file.

45
00:04:02,000 --> 00:04:08,780
‫We're in the calling machine, so find the location of the exec to VBA script using Locate Command in

46
00:04:08,780 --> 00:04:09,200
‫Linux.

47
00:04:16,410 --> 00:04:17,400
‫Go to the folder.

48
00:04:23,670 --> 00:04:26,460
‫And run exact to VB, a Ruby script.

49
00:04:27,270 --> 00:04:29,550
‫The script needs two parameters to run.

50
00:04:31,940 --> 00:04:36,860
‫First, the malicious executable with full path, which will be converted to a macro code.

51
00:04:41,970 --> 00:04:44,370
‫Second, the name of the output file.

52
00:04:56,660 --> 00:05:02,510
‫The script is created now is the time to create the malware embedded word document.

53
00:05:03,350 --> 00:05:10,070
‫Go to the Windows machine, which is the system of the victim and transfer the micro file using win

54
00:05:10,070 --> 00:05:10,850
‫as copy.

55
00:05:12,640 --> 00:05:15,430
‫Let's open the Dot VBA file using a notepad.

56
00:05:15,880 --> 00:05:23,110
‫I'm using Notepad Plus Plus for this purpose because the Dot VBA file is a bit big and Notepad Plus

57
00:05:23,110 --> 00:05:27,910
‫Plus has a much better memory management than the native notepad application in Windows.

58
00:05:29,780 --> 00:05:32,180
‫There are two parts in the dark VBA file.

59
00:05:32,690 --> 00:05:34,070
‫The first part is a macro curve.

60
00:05:34,850 --> 00:05:39,950
‫Second part is the payload that will be used by the macro to create the Metro operator session.

61
00:05:41,690 --> 00:05:47,810
‫Now, start using MS word and create a new word document, by the way, do you wonder why I use Windows

62
00:05:47,810 --> 00:05:52,670
‫eight and Office 2013 because I have their licenses and no others?

63
00:06:01,130 --> 00:06:05,360
‫Create a macro and review tab, select macros.

64
00:06:05,930 --> 00:06:06,800
‫View macros.

65
00:06:07,130 --> 00:06:09,560
‫Give a name and click the Create button.

66
00:06:11,360 --> 00:06:17,270
‫I'm using the word application of office 2013, if you use a different version, your menus might differ.

67
00:06:17,810 --> 00:06:19,790
‫Please Google it to find the location.

68
00:06:20,910 --> 00:06:27,180
‫Open our dot VA file and copy the macro code part and paste it into macro code page.

69
00:06:34,540 --> 00:06:36,490
‫Save the changes and close the page.

70
00:06:37,460 --> 00:06:41,240
‫And we have malicious macro codes inside the document.

71
00:06:42,360 --> 00:06:44,970
‫Now we still have to embed the payload into the document.

72
00:06:50,980 --> 00:06:54,550
‫Go to the Dot VBA file copy payload data part.

73
00:07:05,760 --> 00:07:11,490
‫And pasted into the word document, we have quite a big payload, I confess it's bigger than I expected.

74
00:07:11,910 --> 00:07:18,030
‫This is because we used veil to create a custom malware and we chose Moteur Printer, which is a complex

75
00:07:18,030 --> 00:07:18,270
‫one.

76
00:07:19,140 --> 00:07:22,860
‫Wait until the paste is finished, it could take 15 to 20 seconds.

77
00:07:24,200 --> 00:07:26,450
‫To make the document seem like a regular document.

78
00:07:30,550 --> 00:07:33,490
‫You can shrink the font size, for example, make it one.

79
00:07:38,370 --> 00:07:41,610
‫And you can make the font color of the payload white.

80
00:07:44,710 --> 00:07:45,910
‫Then save the file.

81
00:07:55,060 --> 00:08:01,030
‫To succeed in this attack, MS word application has to be configured to run macro codes in MS word.

82
00:08:01,360 --> 00:08:07,570
‫All macros are disabled by default, so you have to convince the victim to enable the macros as well.

83
00:08:08,980 --> 00:08:11,260
‫In file menu, select options.

84
00:08:12,520 --> 00:08:18,040
‫Select Trust Center, click trust center settings button and tick.

85
00:08:18,250 --> 00:08:23,290
‫Enable all macros option, click OK at the lower right corner.

86
00:08:23,830 --> 00:08:26,410
‫Now we have a macro enabled MS Word.

87
00:08:30,050 --> 00:08:32,120
‫Be sure the handler is running at the moment.

88
00:08:35,610 --> 00:08:40,470
‫Open the word document we created, it may take some time because the document is a big one.

89
00:08:50,490 --> 00:08:51,300
‫Go to Carly.

90
00:08:52,570 --> 00:08:53,560
‫Wait, a few seconds.

91
00:09:00,120 --> 00:09:02,280
‫You have a new session for the victims system.

92
00:09:03,980 --> 00:09:05,300
‫Congratulations.