In the malware sample, the base64 decoded data is passed to the ExecuteForOSX() function (on the left side of the table).
The command syntax is: echo “ ” | base64 -d To do that, a call to the base64 tool is more than enough, and can be done inside the Metasploit prompt as well.
#2017 microsoft office for mac code
The next step is to decode the base64 data to reveal the code that will be executed on the victim’s machine. If we compare the code structure between the code found in the malicious Macro and the one generated by Metasploit in the previous step, it is easy to visually identify the same elements (highlighted in yellow), but obviously the base64 data is different. Typing curl -k, we can see that a chunk of Python script code has been received.įigure 5 – The Python script code returned to victim Instead of directly executing this code on the victim’s machine, however, an HTTPS request is made to see what data the server will reply with. A piece of Python script code is then generated for infected systems to run. The next step is to execute the run command, which starts the HTTPS reverse handler/server so it is ready for victims to connect. That prevents the validity of the SSL certificate to be verified while establishing secure communications.įigure 3 – Showing the options set for the attack The only setting that is not shown is StagerVerifySSLCert, which we set to false. The show options command hides certain settings that can only be viewed by the show advanced command. This IP address acts as a listener (for the connect-back connection, listening on TCP/443 (LPORT)) as well as a server (listening on TCP/8080(SRVPORT)) to deliver the reverse_https payload.
The SRVHOST and LHOST parameters are set to the Kali Linux’s IP address (192.168.71.129). The first is the web_delivery module, and the second is the payload reverse_https. Once the settings are loaded, running the command show options shows the current Metasploit configuration for the session. Typing “ msfconsole -q -r osx_meterpreter_test” executes Metasploit in quiet mode (-q) and loads the script file (-r) provided. Kali Linux: 192.168.71.129 Setting Up the Metasploitįirst, we created a new script file on the Kali Linux VM with Metasploit installed containing the commands required to set Metasploit.įigure 1 – The content of the script file
#2017 microsoft office for mac mac os x
The Windows 7 machine acts as an infected Windows system, the Mac OS X machine acts as an infected Mac OS X system, and the Kali Linux VM acts as the attacker’s server running Metasploit.įollowing are the IP addresses of these virtual machines.
.svg/1200px-Microsoft_Office_logo_(2019–present).svg.png "2017 microsoft office for mac"){kind=logo}
The testing environment consists of three virtual machines running 64-bit Windows 7, 64-bit Mac OS X, and 64-bit Kali Linux, respectively. This blog provides a walk-through of the attack process with the server we set up, and shows what an attacker can do on an infected system. Since the attacker’s server doesn’t currently respond to any requests, we decided to set up a Metasploit to confirm our observation. More information about Meterpreter can be found here.įor this to work, the attacker’s server must be running Metasploit as the controller to control the infected systems. Meterpreter is part of the Metasploit framework. After deeper investigation of this malware sample, we can confirm that after a successful infection the post-exploitation agent Meterpreter is run on the infected Mac OS X or Windows system. In the blog we posted on March 22, FortiGuard Labs introduced a new Word Macro malware sample that targets both Apple Mac OS X and Microsoft Windows.
0 kommentar(er)
