1
00:00:00,300 --> 00:00:02,580
‫Embedding malware into the documents.

2
00:00:03,730 --> 00:00:09,520
‫It's very common for malicious software to be embedded in a widely used document such as a PDF for office

3
00:00:09,520 --> 00:00:10,030
‫document.

4
00:00:10,360 --> 00:00:15,880
‫Let's look and see what metastable framework has for this purpose in MSF Shell.

5
00:00:16,330 --> 00:00:23,290
‫And you already know how to open the MSF shell simply type MSF console in the terminal screen of Calli.

6
00:00:23,470 --> 00:00:29,650
‫If you search for Adobe in PDF words, you see that Métis framework has two exploits to embed a malware

7
00:00:29,650 --> 00:00:30,730
‫into a PDF file.

8
00:00:31,240 --> 00:00:37,990
‫And thankfully the ranks of the exploits are excellent, which means they will look very good and stable

9
00:00:37,990 --> 00:00:39,670
‫in the ideal circumstances.

10
00:00:40,040 --> 00:00:44,410
‫Of course, you need an appropriate payload for the exploit.

11
00:00:45,920 --> 00:00:51,680
‫When you look at the options of the exploit using show options command, you see that the target of

12
00:00:51,680 --> 00:00:57,860
‫the exploit is Adobe Reader with versions eight or nine, which is running Windows XP, Vista or seven.

13
00:00:58,370 --> 00:01:04,550
‫When you gather information about the target company, you probably find this information which operating

14
00:01:04,550 --> 00:01:09,640
‫systems are used, which readers are preferred, which versions are used, et cetera.

15
00:01:10,660 --> 00:01:15,940
‫Suppose that you don't have any clue that the target operating systems and or readers are used in this

16
00:01:15,940 --> 00:01:18,620
‫company still, isn't it worth it to try?

17
00:01:19,600 --> 00:01:20,860
‫Now is the question.

18
00:01:21,520 --> 00:01:27,760
‫Can you find any device running an old version of operating system and an old version of the reader?

19
00:01:28,270 --> 00:01:29,400
‫Answer is, of course.

20
00:01:30,310 --> 00:01:33,130
‫Do you remember the want to cry ransomware attacks?

21
00:01:33,610 --> 00:01:40,720
‫The attack affected more than 300000 computers across 150 countries, including the UK's NHS health

22
00:01:40,720 --> 00:01:41,290
‫systems.

23
00:01:42,570 --> 00:01:48,450
‫The malware was using a vulnerability where Microsoft had already released a patch for it two months

24
00:01:48,450 --> 00:01:55,320
‫before the want to cry attack, but the attack affected hundreds of thousands of computers because they

25
00:01:55,320 --> 00:01:57,530
‫are always out of date.

26
00:01:58,800 --> 00:02:04,170
‫If you could find a few machines that fit these conditions, it might be enough for you to hack the

27
00:02:04,170 --> 00:02:05,290
‫entire company.

28
00:02:06,480 --> 00:02:08,250
‫The next step is to set the options.

29
00:02:10,020 --> 00:02:16,650
‫Set the template PDF file in filename, if you don't, metabolite framework will use its own template,

30
00:02:17,400 --> 00:02:20,220
‫set the output PDF file name, file name.

31
00:02:20,760 --> 00:02:25,420
‫If you don't need exploit framework will name it as evil dot pdf.

32
00:02:26,160 --> 00:02:31,980
‫Now set the options of the payload you choose if you choose reverse https interpreter payload like me

33
00:02:32,880 --> 00:02:37,350
‫set the IP address of the listener host set the listener port.

34
00:02:37,350 --> 00:02:43,170
‫If you don't want to use the default one airport when you're finished setting your options.

35
00:02:44,490 --> 00:02:47,820
‫You can use, exploit or run commands to generate the file.

36
00:02:48,390 --> 00:02:54,990
‫Now you must bring the file and computer users, I mean victims together, send the file in a phishing

37
00:02:54,990 --> 00:03:01,650
‫email, copy the file and flash drives and give them as gifts, write the file and CDs and spread them

38
00:03:01,650 --> 00:03:04,190
‫in the company if you can, etc..

39
00:03:05,670 --> 00:03:12,640
‫By merging a malicious PDF with another arbitrary PDF file, you can make it more difficult for antivirus

40
00:03:12,640 --> 00:03:20,990
‫is to recognize it in the first picture, a windows slash mateparae to slash reverse underscore TCP

41
00:03:21,000 --> 00:03:26,040
‫payload embedded PDF file is scanned in virus total dot com.

42
00:03:26,310 --> 00:03:33,540
‫No obfuscation or customization was performed, so 30 of 47 antivirus programs detected it in the second

43
00:03:33,540 --> 00:03:33,810
‫pick.

44
00:03:33,810 --> 00:03:40,350
‫A custom payload using windows slash interpretor slash reverse underscore http.

45
00:03:40,350 --> 00:03:42,000
‫S payload of Métis.

46
00:03:42,000 --> 00:03:45,900
‫Foyt was created by Vayle and embedded into the PDF file.

47
00:03:46,170 --> 00:03:52,100
‫17 of 47 antivirus programs detected the malware in the third picture.

48
00:03:52,590 --> 00:03:57,390
‫The document used in the second picture was merged with a clean PDF file.

49
00:03:58,080 --> 00:04:04,470
‫In this time, only 10 of 47 antivirus programs detected the malware.