It's no secret that there are hackers out there conducting operations, but hackers all seems so distant to the average person. What does being hacked really look like? Does your computer just shut down or does your screen flash wildly? If someone were to get into your computer, should you really care because you have "nothing" to hide? Think about what you do on your computer and how much information you really put on it. With all of the crazy press about hackers doing hacker things around the world, I figured it would be interesting to show what it looks like for an individual to get hacked.
I'll keep the first half of the article fairly simple then break down the second half about how I went about creating everything.
Hackers need to identify what to attack before they can attack something, right? Otherwise, they wouldn't know what to attack. To identify their potential target, they'll do some sort of reconnaissance or scouting. Recon can be done in a variety of ways. Organized crime groups typically look for vulnerable businesses or governments. Hacktivists look for organizations related to their cause, then how those organizations affect it. For lone wolf hackers, it could be as simple as meeting random, new people to find desirable traits (i.e rich, in a manipulatable situation, knowing key information for a business). For purposes of this article, let's say we know someone named Sharon. Sharon does administration for a small business. She likes to feel like the "hookup" for jobs. It makes her feel good when she was the one who discovered the next rockstar new-hire. Sharon also gets a $500 bonus for each new-hire she received a resume for. To use this to increase paycheck, she goes out of her way to scout for new people by going to local meet-ups, networking events, and happy hours.
Sharon meets Yakube at the Golden Nugget during a happy hour event. Yakube is a stud. He's intelligent, well-spoken, and has an esteemed work history with the added bonus of being an accountant, a position the company is absolutely dying for currently. Sharon exchanges her email with Yakube asking him for his resume to pass on to her boss and they go their separate ways. Later that night she receives the following email on her work email attached to her company laptop:
Sharon downloads the word doc and opens it to see the following:
"Oh," she thinks, "he must've sent the wrong version."
Thinking nothing of it, Sharon closes the file and heads to sleep for the night. After replying to Yakube asking for him to send the proper version of his resume, she receives no response. A week goes by and her boss enters her small office looking stressed. He breaks it to her, "Sharon, our bank accounts were emptied last night. I don't know what to do." Shocked, Sharon sits back and can only think, "How?" Sure enough, her company is in turmoil because of her.
With only an email and a single file being exchanged, an entire company was put in financial danger. Who's fault was it? Sharon had no idea Yakube was a hacker, nor did she realize that a blank word document could even present a risk to the company she worked for. Word documents aren't supposed to be malicious. Her antivirus also didn't say anything about the document being a trojan either. How could she have known?
Realistically, the average person would be a little suspicious about the lack of response from a potential new employee. Yakube also probably wouldn't have been so blatant about his word document being straight blank. However, that's what an attack could look like. Seems harmless, right? No one was held at gun point, no negative words were spoken, nor were there any nervous feelings felt by Sharon whilst she was being attacked. Sharon didn't even see anything happen on her screen.
So, let's break down the anatomy of the attack. A week before the happy-hour event, Yakube knew everything he was going to say to Sharon. He had done his research on her and her company. See, Sharon liked to post about hiring opportunities on Facebook, which was open for the world to see. Yakube saw what her interests that make her feel comfortable, then he created his false work history from what the industry respected trends were to make the company feel comfortable. This is social engineering. It's incredibly effective as most people have no idea what's happening while they're logically being attacked and exploited. People like to feel good... Yakube made Sharon feel good and he knew how to use that emotion to his advantage. After getting his in with Sharon, he prepared his initial access vector.
Hiring managers are nice targets since they aren't typically technical and they all need to receive a resume to do their job. Word Documents (as well as the rest of the Office Suite) are nice for attackers because you can write scripts/macros in the backend of the file using Visual Basic. The way I structured this attack was to have a Word document (.doc) be downloaded and opened, executing a script in the background where the user wouldn't see what's happening. Once the file was opened, the script would run automatically. I had it pull down a batch script that's hosted on my GitHub. A batch script is just a small text file with several command line commands prepped for execution. Once it's ran, the commands execute and actions are done by the system. This batch script downloads and executes a PowerShell script that shoot a reverse shell back to a remote machine, giving me the same access to the user's machine as the user who downloaded the file. PowerShell is another task automation and configuration management framework, consisting of a command-line shell and scripting language.
If you think something looks out of place, you got an eye. The "Temp" file was created by the script embedded in the Word document to store the subsequent malicious files.
Sure enough, two files named "update" also don't look super suspicious since Windows updates occur fairly frequently. If this was real, the attacker would most likely delete these files. I left them in there for proof of concept (POC).
This is the access the attacker has. It should look a lot like the interface Windows PowerShell has because the final payload with the reverse shell is run through PowerShell. They have the same permissions as the user who opened it because the files were downloaded, created, and executed under that user profile, so they will inherit that user's permissions. The attacker has access to all of this particular user's files. The previous image shows a basic shell meaning they don't have extra tools on the machine, just a connection where they can remotely use that machine. However, attackers can then use this to add more tools on to the machine to complete actions like taking screenshots, listening to the user's microphone, seeing through the users webcam, enumerate the networks they connect to, move laterally to other machines, etc. This is what getting hacked looks like.
Time to go a bit deeper
My VBA and batch scripts were based off of Red Canary's POC of an attack done by APT 32. In the VBA script, I only removed the popup message box and changed all paths. The difficult part about this wasn't finding/writing a script. The hard part is obfuscating the payload to get passed antiviruses and Windows defender. Normally, if a macro/script is in the backend of a .doc file, it is forced by word to be saved as a .docm file. However, if you save it as a Single File Web Page (.mht) file then rename the file outside of Word to the .doc extension, it skips the forced file extension of .docm since Word can't check files that aren't opened in it. .MHT files let users encapsulate a full web page into a single MIME (multimedia) file and they can be viewed in a browser as well as Word. Since it was formatted in Word before being saved, the document maintains it's styling when renamed to the .doc file extension. The following batch script simply downloads and executes the PowerShell script with few PowerShell commands (IWR), which is nothing super complicated.
The final PowerShell script was pulled from one of my GitHub repositories. To get this to run, I needed to find a way to encode the payload. After struggling with MSFVenom's encoders being detected by AMSI, I determined the encoder needed to be something fairly new, so I searched for any tools on GitHub that were created within the last 6 months. Sure enough I stumbled upon Chimera. Chimera has clean code with great documentation that pushed me to really liking it. I could do a full article on AMSI and how Windows Defender detects malware, so i'm going to save it for another time. Sure enough in testing, no antiviruses were alerted nor was Windows Defender allowing me to do some malicious activity. Chimera does the favor of running it's payload against VirusTotal for you, which in a real scenario would need to be cut out to ensure you're not putting a signature of your payload out there in the big, bad world. Just like that, an attacker has initial access.
Why did I plan this attack to occur in this manner? Well I wanted to throw the trail off a bit. Instead of solely using the word doc file to pull my reverse shell, I added an extra step into the process that may be missed by an investigator. Now any investigator that's worth a dime in the industry should be able to catch this, but what if the company can't afford an investigation. Police aren't super technical quite yet, so they would most likely have a pretty hard time finding what happened to this machine since, you know, it's the same methodology advanced persistent threats use. It also allows me to have fail-safes built into my attack. It mitigates single point of failures and allows for flexibility down the road. Say I wanted to modify the batch script to pull down a few tools in addition to my shell. I can then go update my GitHub repository where the batch script resides and send Sharon a message saying, "Oh, I'm sorry, here's the correct document," to get her to execute the attack again. Github was only used for a POC here, but it's definitely used like this in the wild. This can add a layer annoyance for investigators because GitHub doesn't give out account details to just anyone, so there may need to be things like subpoenas involved to get account information. I also chose not to lay down beaconing implants as well as any major persistence mechanisms right off the bat since this is just a small exercise to show people not familiar with Cyber Security what a very basic attack looks like.
Everyday in Cyber Security, the barrier for entry get's lower as people keep abstracting attacks into easy-to-use tools. It certainly wouldn't take very long for a random person to get spun up on how to do this then fire the payloads off to a company negating the concern for being breaking the law. This is why people need to be vigilant on what's happening around them both in and out of the cyber and physical worlds. Sharon wasn't a high roller, nor was she someone who thought something like this would ever happen to her. This is common for most people, but now her insecure habits online led to a very destructive, life changing event. Crazy enough she really didn't have to post any major personal information to be vulnerable (i.e social security number, credit cards, etc). It just takes someone with a little bit of "know-how", curiosity, and malicious intent to shift to watch her actions over a period of time. Whether a person chooses to care about their personal security is up to them, I really don't care what they do, but they should also know the risks of their behavior in addition to the consequences of being open online.
Stay safe out there, fam.