1
00:00:00,660 --> 00:00:07,080
‫Just like embedding a malicious code into a PDF file, you can easily embed a malicious macro code into

2
00:00:07,080 --> 00:00:09,750
‫an EMS office document such as an s word.

3
00:00:10,750 --> 00:00:16,630
‫To create a malicious word document, we should prepare a macro code and the payload, which is used

4
00:00:16,630 --> 00:00:17,500
‫by the macro.

5
00:00:20,750 --> 00:00:27,470
‫Let's prepare a malicious word document using the Métis Floyd framework and Vayle framework, the steps

6
00:00:27,470 --> 00:00:28,970
‫of this example will be.

7
00:00:30,010 --> 00:00:37,180
‫Creating a malicious executable, converting the malware into a macro code which is ready to be embedded

8
00:00:37,180 --> 00:00:38,410
‫into an office document.

9
00:00:39,570 --> 00:00:41,220
‫Creating the office document.

10
00:00:42,380 --> 00:00:50,900
‫Embedding the script code is a macro and concatenating the payload as text, starting a listener to

11
00:00:50,900 --> 00:00:54,620
‫listen to the sessions of the victims who opened the office document.

12
00:00:55,690 --> 00:00:57,550
‫Opening the document is a victim.

13
00:00:59,710 --> 00:01:06,670
‫Collecting the session as the attacker now let's do it first, create a malicious executable using Vayle,

14
00:01:06,830 --> 00:01:12,700
‫I'll take it faster now because we've already done this before to remember, please refer to our creating

15
00:01:12,700 --> 00:01:17,920
‫custom payloads with Vayle Lecture Choose List in the main menu type.

16
00:01:17,920 --> 00:01:22,410
‫Use one to use evasion tool type list a list available payloads.

17
00:01:23,170 --> 00:01:24,760
‫Let's use payload twenty seven.

18
00:01:25,800 --> 00:01:28,110
‫Setting the listener host is enough at the minimum.

19
00:01:34,860 --> 00:01:38,820
‫And generate give the name initials for the outpost files.

20
00:01:40,650 --> 00:01:43,020
‫Choose the executable creation method.

21
00:01:52,200 --> 00:01:55,530
‫OK, malicious, executable is created.

22
00:01:56,620 --> 00:02:01,590
‫Let's test our malware to see if it's working, transfer the file to the victim machine.

23
00:02:02,180 --> 00:02:04,800
‫Now here I have a Windows eight system as victim.

24
00:02:05,380 --> 00:02:08,740
‫I'm going to use the win SICP trial to transfer the file.

25
00:02:09,250 --> 00:02:12,040
‫And of course, we have to find a reasonable way to do it.

26
00:02:12,430 --> 00:02:14,850
‫Phishing, malicious website visit, et cetera.

27
00:02:16,090 --> 00:02:19,780
‫Copy the malware into the S.H. User Home folder for ease of use.

28
00:02:27,920 --> 00:02:29,720
‫Run win SICP.

29
00:02:33,460 --> 00:02:34,960
‫Connected to the Kawi machine.

30
00:02:45,410 --> 00:02:47,720
‫And transfer the file to the Windows desktop.

31
00:02:59,620 --> 00:03:07,000
‫Start a handler to collect the session, go to Caleigh and start the MSF console with the Dasha parameter

32
00:03:07,330 --> 00:03:09,790
‫and use the RC file produced by Vayle.

33
00:03:20,520 --> 00:03:22,410
‫Handlers started is at the background.

34
00:03:23,480 --> 00:03:30,170
‫With the session dash l command, we see that no session is in progress at the moment, run the malicious

35
00:03:30,170 --> 00:03:31,970
‫executable in the Windows system.

36
00:03:32,420 --> 00:03:35,390
‫We now have a valid session of the Windows system.

37
00:03:35,960 --> 00:03:40,700
‫Use the sessions dashi session ID command to interact with the session.

38
00:03:42,250 --> 00:03:44,770
‫Our malware is working like a charm.

39
00:03:45,940 --> 00:03:50,640
‫Now, let's kill the session for now, because this was just a test of the malware is working well.

40
00:03:51,650 --> 00:03:56,120
‫Sessions dash kay uppercase Kay will kill all the open sessions.

41
00:03:57,350 --> 00:04:01,250
‫Now we'll create a visual basic script using our malicious executable file.

42
00:04:02,030 --> 00:04:08,840
‫We're in the Calli machine, so find the location of the exact two VBA script using Locate Command in

43
00:04:08,840 --> 00:04:09,260
‫Linux.

44
00:04:16,410 --> 00:04:17,430
‫Go to the folder.

45
00:04:23,700 --> 00:04:29,580
‫And Ron Exacta Vrba Ruby script, the script needs to parameters to run.

46
00:04:32,000 --> 00:04:36,920
‫First, the malicious executable with full path, which will be converted to a macro code.

47
00:04:41,980 --> 00:04:44,410
‫Second, the name of the output file.

48
00:04:56,680 --> 00:05:04,390
‫The script is created, now is the time to create the malware embedded word document, go to the Windows

49
00:05:04,390 --> 00:05:10,900
‫machine, which is the system of the victim, and transfer the micro file using wind SICP.

50
00:05:12,670 --> 00:05:19,210
‫Let's open the Vrba file using a notepad, I'm using notepad plus plus for this purpose because the

51
00:05:19,210 --> 00:05:26,140
‫dot VBA file is a bit big and notepad plus plus has a much better memory management than the native

52
00:05:26,140 --> 00:05:27,970
‫notepad application in Windows.

53
00:05:29,820 --> 00:05:34,100
‫There are two parts in the dark Vrba file, the first part is the macro code.

54
00:05:34,830 --> 00:05:39,990
‫Second part is the payload that will be used by the macro to create the metro intersession.

55
00:05:41,690 --> 00:05:47,870
‫Now, start using MS word and create a new word document, by the way, do you wonder why I use Windows

56
00:05:47,870 --> 00:05:49,340
‫eight, an office 2013?

57
00:05:49,970 --> 00:05:52,730
‫Because I have their licenses and no others.

58
00:06:01,170 --> 00:06:09,600
‫Create a macro under view, tab, select macro's, view macros, give a name and click the create button.

59
00:06:11,360 --> 00:06:17,340
‫I'm using the word application of office 2013, if you use a different version, your menus might differ.

60
00:06:17,840 --> 00:06:19,880
‫Please Google it to find the location.

61
00:06:20,910 --> 00:06:27,240
‫Open our doors, Vrba file and copy the macro code part and paste it into macro code page.

62
00:06:34,520 --> 00:06:36,540
‫Save the changes and close the page.

63
00:06:37,460 --> 00:06:41,300
‫And we have malicious macro codes inside the document.

64
00:06:42,370 --> 00:06:45,010
‫Now, we still have to embed the payload into the document.

65
00:06:51,000 --> 00:06:54,600
‫Go to the Dot Vrba file, copy payload data part.

66
00:07:05,760 --> 00:07:11,550
‫And pasted into the word document, we have quite a big payload, and I confess it's bigger than I expected.

67
00:07:11,970 --> 00:07:18,090
‫This is because we used Vail to create a custom malware and we chose interpretor, which is a complex

68
00:07:18,090 --> 00:07:18,320
‫one.

69
00:07:19,170 --> 00:07:20,800
‫Wait until the paste is finished.

70
00:07:20,820 --> 00:07:22,880
‫It could take 15 to 20 seconds.

71
00:07:24,250 --> 00:07:26,500
‫To make the documents seem like a regular document.

72
00:07:30,550 --> 00:07:33,550
‫You can shrink the font size, for example, make it one.

73
00:07:38,370 --> 00:07:41,670
‫And you can make the font color of the payload white.

74
00:07:44,730 --> 00:07:45,930
‫Then save the file.

75
00:07:55,120 --> 00:07:59,530
‫To succeed in this attack, word application has to be configured to run macro codes.

76
00:07:59,980 --> 00:08:07,120
‫In MS word, all macros are disabled by default, so you have to convince the victim to enable the macros

77
00:08:07,120 --> 00:08:07,620
‫as well.

78
00:08:09,010 --> 00:08:11,290
‫In file menu, select options.

79
00:08:12,510 --> 00:08:21,390
‫Select Trust Center, Click Trust Center settings, button and tick enable all macro's option, click

80
00:08:21,390 --> 00:08:23,350
‫OK at the lower right corner.

81
00:08:23,850 --> 00:08:26,460
‫Now we have a macro enabled MS word.

82
00:08:30,100 --> 00:08:32,170
‫Be sure the handler is running at the moment.

83
00:08:35,640 --> 00:08:40,500
‫Opened the word document we created, it may take some time because the document is a big one.

84
00:08:52,600 --> 00:08:53,620
‫Wait a few seconds.

85
00:09:00,120 --> 00:09:02,340
‫You have a new session for the victims system.

86
00:09:04,040 --> 00:09:05,360
‫Congratulations.