Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents
Tuesday, September 10, 2019
Edit
Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents - Hi friends mederc, In the article that you read this time with the title Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents, We have prepared this article well for you to read and retrieve information from it. hopefully fill the posts
Article Cobalt Strike,
Article Evil Clippy,
Article EvilClippy,
Article Linux,
Article Mac,
Article MS Office,
Article Windows, we write this you can understand. Alright, happy reading.
Title : Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents
link : Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents
Influenza A virus subtype H5N1 cross-platform assistant for creating malicious MS Office documents. Can enshroud VBA macros, stomp VBA code (via P-Code) too confuse macro analysis tools. Runs on Linux, OSX too Windows.
Current features
How effective is this?
At the fourth dimension of writing, this tool is capable of getting a default Cobalt Strike macro to bypass all major antivirus products too only about maldoc analysis tools (by using VBA stomping inward combination amongst random module names).
Technology
Evil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, too hereto abuses MS-OVBA specifications too features. It reuses code from Kavod.VBA.Compression to implement the compression algorithm that is used inward dir too module streams (see MS-OVBA for relevant specifications).
Evil Clippy compiles perfectly fine amongst the Mono C# compiler too has been tested on Linux, OSX too Windows.
Compilation
A cross-platform compiled binary tin travel institute nether "releases".
OSX too Linux Make certain yous accept Mono installed. Then execute the next dominance from the dominance line:
Now run Evil Clippy from the dominance line:
Windows Make certain yous accept Visual Studio installed. Then execute the next dominance from a Visual Studio developer dominance prompt:
Now run Evil Clippy from the dominance line:
Usage examples
Print help
Hide macros from GUI
Hide all macro modules (except the default "ThisDocument" module) from the VBA GUI editor. This is achieved past times removing module lines from the projection current [MS-OVBA 2.3.1].
Stomp VBA (abuse P-code)
Put mistaken VBA code from text file fakecode.vba inward all modules, spell leaving P-code intact. This abuses an undocumented characteristic of module streams [MS-OVBA 2.3.4.3]. Note that the VBA projection version must tally the host programme inward club for the P-code to travel executed (see adjacent event for version matching).
Note: VBA Stomping does non piece of job for files saved inward the Excel 97-2003 Workbook (.xls) format
Set target Office version for VBA stomping
Same every bit the above, but forthwith explicitly targeting Word 2016 on x86. This agency that Word 2016 on x86 volition execute the P-code, spell other versions of Word wil execute the code from fakecode.vba instead. Achieved past times setting the appropriate version bytes inward the _VBA_PROJECT current [MS-OVBA 2.3.4.1].
Set random module names (fool analyst tools)
Set random ASCII module names inward the dir current [MS-OVBA 2.3.4.2]. This abuses ambiguity inward the MODULESTREAMNAME records [MS-OVBA 2.3.4.2.3.2.3] - only about analyst tools run the ASCII module names specified here, spell MS Office used the Unicode variant. By setting a random ASCII module advert only about P-code too VBA analysis tools crash, spell the actual P-code too VBA withal runs fine inward Word too Excel.
Note: this is known to travel effective inward tricking pcodedmp too VirusTotal
Serve a VBA stomped template via HTTP
Service macrofile.dot via HTTP port 8080 afterward performing VBA stomping. If this file is retrieved, it automatically matches the target's Office version (using its HTTP headers too and thus setting the _VBA_PROJECT bytes accordingly).
Note: The file yous are serving must travel a template (.dot instead of .doc). You tin gear upwards a template via a URL (.dot extension is non required!) from the developer toolbar inward Word. Also, fakecode.vba must accept a VB_Base attribute gear upwards for a macro from a template (this agency that your facecode.vba must start amongst a trouble such every bit Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}").
Set/Remove VBA Project Locked/Unviewable Protection
To gear upwards the Locked/Unviewable attributes run the '-u' option:
To take the Locked/Unviewable attributes run the '-uu' option:
Note: You tin take the Locked/Unviewable attributes on files that were non locked amongst EvilClippy every bit well.
Limitations
Developed for Microsoft Word too Excel document manipulation.
As noted above, VBA stomping is non effective against Excel 97-2003 Workbook (.xls) format.
Authors
Stan Hegt (@StanHacked) / Outflank
With meaning contributions past times Carrie Robberts (@OrOneEqualsOne / Walmart).
Special thank yous to Nick Landers (@monoxgas / Silent Break Security) for pointing me towards OpenMCDF.
You are now reading the article Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents with the link address https://mederc.blogspot.com/2019/09/evil-clippy-cross-platform-assistant.html
Title : Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents
link : Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents
Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents
Influenza A virus subtype H5N1 cross-platform assistant for creating malicious MS Office documents. Can enshroud VBA macros, stomp VBA code (via P-Code) too confuse macro analysis tools. Runs on Linux, OSX too Windows.
Current features
- Hide VBA macros from the GUI editor
- VBA stomping (P-code abuse)
- Fool analyst tools
- Serve VBA stomped templates via HTTP
- Set/Remove VBA Project Locked/Unviewable Protection
- MS Office Magic Show presentation at Derbycon 2018
- VBA stomping resources past times the Walmart safety team
- Pcodedmp past times Dr. Bontchev
How effective is this?
At the fourth dimension of writing, this tool is capable of getting a default Cobalt Strike macro to bypass all major antivirus products too only about maldoc analysis tools (by using VBA stomping inward combination amongst random module names).
Technology
Evil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, too hereto abuses MS-OVBA specifications too features. It reuses code from Kavod.VBA.Compression to implement the compression algorithm that is used inward dir too module streams (see MS-OVBA for relevant specifications).
Evil Clippy compiles perfectly fine amongst the Mono C# compiler too has been tested on Linux, OSX too Windows.
Compilation
A cross-platform compiled binary tin travel institute nether "releases".
OSX too Linux Make certain yous accept Mono installed. Then execute the next dominance from the dominance line:
mcs /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.csNow run Evil Clippy from the dominance line:
mono EvilClippy.exe -hWindows Make certain yous accept Visual Studio installed. Then execute the next dominance from a Visual Studio developer dominance prompt:
csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.csNow run Evil Clippy from the dominance line:
EvilClippy.exe -hUsage examples
Print help
EvilClippy.exe -hHide macros from GUI
Hide all macro modules (except the default "ThisDocument" module) from the VBA GUI editor. This is achieved past times removing module lines from the projection current [MS-OVBA 2.3.1].
EvilClippy.exe -g macrofile.docStomp VBA (abuse P-code)
Put mistaken VBA code from text file fakecode.vba inward all modules, spell leaving P-code intact. This abuses an undocumented characteristic of module streams [MS-OVBA 2.3.4.3]. Note that the VBA projection version must tally the host programme inward club for the P-code to travel executed (see adjacent event for version matching).
EvilClippy.exe -s fakecode.vba macrofile.docNote: VBA Stomping does non piece of job for files saved inward the Excel 97-2003 Workbook (.xls) format
Set target Office version for VBA stomping
Same every bit the above, but forthwith explicitly targeting Word 2016 on x86. This agency that Word 2016 on x86 volition execute the P-code, spell other versions of Word wil execute the code from fakecode.vba instead. Achieved past times setting the appropriate version bytes inward the _VBA_PROJECT current [MS-OVBA 2.3.4.1].
EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.docSet random module names (fool analyst tools)
Set random ASCII module names inward the dir current [MS-OVBA 2.3.4.2]. This abuses ambiguity inward the MODULESTREAMNAME records [MS-OVBA 2.3.4.2.3.2.3] - only about analyst tools run the ASCII module names specified here, spell MS Office used the Unicode variant. By setting a random ASCII module advert only about P-code too VBA analysis tools crash, spell the actual P-code too VBA withal runs fine inward Word too Excel.
EvilClippy.exe -r macrofile.docNote: this is known to travel effective inward tricking pcodedmp too VirusTotal
Serve a VBA stomped template via HTTP
Service macrofile.dot via HTTP port 8080 afterward performing VBA stomping. If this file is retrieved, it automatically matches the target's Office version (using its HTTP headers too and thus setting the _VBA_PROJECT bytes accordingly).
EvilClippy.exe -s fakecode.vba -w 8080 macrofile.dotNote: The file yous are serving must travel a template (.dot instead of .doc). You tin gear upwards a template via a URL (.dot extension is non required!) from the developer toolbar inward Word. Also, fakecode.vba must accept a VB_Base attribute gear upwards for a macro from a template (this agency that your facecode.vba must start amongst a trouble such every bit Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}").
Set/Remove VBA Project Locked/Unviewable Protection
To gear upwards the Locked/Unviewable attributes run the '-u' option:
EvilClippy.exe -u macrofile.docTo take the Locked/Unviewable attributes run the '-uu' option:
EvilClippy.exe -uu macrofile.docNote: You tin take the Locked/Unviewable attributes on files that were non locked amongst EvilClippy every bit well.
Limitations
Developed for Microsoft Word too Excel document manipulation.
As noted above, VBA stomping is non effective against Excel 97-2003 Workbook (.xls) format.
Authors
Stan Hegt (@StanHacked) / Outflank
With meaning contributions past times Carrie Robberts (@OrOneEqualsOne / Walmart).
Special thank yous to Nick Landers (@monoxgas / Silent Break Security) for pointing me towards OpenMCDF.
Thus the article Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents
That's all the article Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents this time, hopefully can benefit you all. okay, see you in another article posting.
You are now reading the article Evil Clippy - A Cross-Platform Assistant For Creating Malicious Ms Purpose Documents with the link address https://mederc.blogspot.com/2019/09/evil-clippy-cross-platform-assistant.html