mgeeky's lair

Chamber of Offensive Security

Tag: vba

Backdooring Office Structures. Part 2: Payload Crumbs In Custom Parts

August 8, 2022 / / 3 Comments

Abstract

First part of this article outlined the basic techniques for hiding malware payloads within Office document structures, as well as mildly touched on dilemmas for embedding them into VBA and pulling from the Internet.

This blog post discusses yet another technique, which as far as I’m concerned – represents a novel, stealthy primitive for storing larger chunks of data that could be easily extracted using specific VBA logic. We introduce an idea of weaponising Custom XML parts storage, available in MS Word, Excel and PowerPoint for the purpose of concealing initial access payloads.

Continue reading

Backdooring Office Structures. Part 1: The Oldschool

August 5, 2022 / / 1 Comment

Abstract

This blog posts serie discusses various means adversaries employ to deliver their malicious code using macro-enabled Office documents. We outline staged vs. stageless considerations and relevant VBA implementations to then delve into problem of concealing attacker’s intents in OpenXML structures. This article explores currently known and understood strategies, whereas in second part I’ll release my novel (at least as far as I’m concerned) technique for uniformly hiding malware in Word, Excel and PowerPoint in a storage that isn’t covered by open-source maldoc analysis tooling.

Continue reading

About Mariusz

Mariusz is an active security researcher, pentester and red team operator currently involved in advanced adversary simulations.

He is best known for his researches on malware development and frequent releases of offensive tools that help red teams bolster their game against cybersecurity criminals.

© 2024 mgeeky's lair

Theme by Anders NorenUp ↑