Here, I am going to walk through something I made. This is an attack that carries characteristics that malware authors normally include. This particular one has a characteristic used by Red October. There are 3 parts to this attack, the Office document you send to the target, the persistence file and Invoke-Shellcode. Invoke-Shellcode and the persistence file need to be hosted.

Setting up the attack:

1. The macro code goes as an auto_open macro in a word or excel document.

2. Make sure you have Invoke-Shellcode and the persistence file hosted and accessible. I implemented a little trick to get around appliances that block downloads of specific files, such as exe’s and vbscripts. As you can see below, I have 2 hosted files in /var/www/, one is invoke-shellcode and the other is the persistence file.

If you open the persistence file, you get this:

Obviously, this isn’t a word document. This is a VBScript that will get us our shell. What I have done is put this in a file called “Payment.docx”. If you try to copy and paste the persist code into a new file using nano or vi, it won’t work as it throws formatting off. To get this to execute correctly, you MUST create the persist script in notepad, save it as SomeFileName.vbs and then move the script to your linux machine. Once on your linux machine, you can move the file into /var/www and rename it using “mv persist.vbs Payment.docx”. Doing this will keep the formatting.

When the macro downloads it, it comes into the network and onto the target machine as a Word document instead of an obvious VBScript, exe or something.

The macro downloads Payment.docx and drops it in the hidden “Default” user folder. Once on the machine, it renames Payment.docx to “cookie.vbs” and sets the file attribute to “hidden”:

(After setting “Show hidden files and folders”):

Now that we have a VBScript in a hidden folder with hidden attributes, the macro then creates a registry key to call the script on startup. What is different about this, is it doesn’t use the run registry keys (that’s too obvious, right?). Instead, it creates a key called “Load” in HKCU\Software\Microsoft\Windows NT\CurrentVersion

Now, when the user logs in, it executes cookie.vbs and shovels out another shell. Some may wonder why I am using VBScript when Powershell exists. After some testing, Powershell pops a black DOS prompt when executing the script on startup. To get around this, I wrapped the Powershell script in VBScript to get rid of the obvious DOS prompt.

-Matt Nelson (@enigma0x3)