First part of this article outlined the basic techniques for hiding malware payloads within Office document structures, as well as mildly touched on dilemmas for embedding them into VBA and pulling from the Internet.
This blog post discusses yet another technique, which as far as I’m concerned – represents a novel, stealthy primitive for storing larger chunks of data that could be easily extracted using specific VBA logic. We introduce an idea of weaponising Custom XML parts storage, available in MS Word, Excel and PowerPoint for the purpose of concealing initial access payloads.
This blog posts serie discusses various means adversaries employ to deliver their malicious code using macro-enabled Office documents. We outline staged vs. stageless considerations and relevant VBA implementations to then delve into problem of concealing attacker’s intents in OpenXML structures. This article explores currently known and understood strategies, whereas in second part I’ll release my novel (at least as far as I’m concerned) technique for uniformly hiding malware in Word, Excel and PowerPoint in a storage that isn’t covered by open-source maldoc analysis tooling.
Threat Actors and malware developers need to protect their intellectual property just as much as benign software vendors. Every Cybersecurity professional who worked with malware samples will also know, that such a protection employed helps adversaries morph/mutate how their malicious artifacts look & feel under the hood, eventually evading signatured detection.
Executable protectors, obfuscators, encoders, packers/compressors, virtualizers – are all specialized software attempting to manipulate input artifacts, producing output with often altered code layout and contents. Sometimes for file size reduction purposes, other time to fend off reverse engineers aiming to disclose their technology & implementation details.
Looks like its my first blog post, yay! What is it that I should write about to begin that journey? Have no clue really, but also it just happens I had a great pleasure of presenting at todays (25/06/2022) @WarConPL conference.
The conference full of Exploit Development geeks, Vulnerablity Research wizards and other sort of hardcore experts…. and me with that kinda out of place Red Teaming stuff slide deck 🤩
These were my initial thoughts at least, before I started talking. Having finished my presentation turned out many folks in there did their share in Adversary Simulation – and to my surprise – approached me to express how they’ve enjoyed my talk, came to start up cool discussions, shared ideas for awesome new TTPs.
Also, I’ve been asked at numerous occassions whether my slides are going to be shared anywhere. Since I promised, therefore I deliver:
WarCon22 – Modern Initial Access and Evasion Tactics.pdf
Let me know in comments and on Twitter what you think!