Bypassing Gmail’s Malicious Macro Signatures - By Rascuache
Malicious macros in Excel spreadsheets are one of the most common methods of delivery in phishing attacks. If the premise is enticing enough, an unsuspecting user may download the document and enable macros which could result in arbitrary code being run on their system.
In order to simulate a phishing campaign from an attacker, we at SecureState will typically utilize the macro payload from PowerShell Empire to drop agents onto victim systems via messages sent with King Phisher. One of the drawbacks of using an open-source software suite to generate these payloads is that they are often picked off in-flight. Fortunately for us, this barrier is actually fairly trivial to bypass even when implemented by some of the most widely known email providers.
When this code is pasted into a workbook, the Excel document now becomes a malicious payload. Gmail immediately recognizes it as such and will not even allow you to send the message:
After doing some research, I had a hypothesis as to how Gmail was determining which attachments were legitimate and which were malicious. To the naked eye it would be difficult as the payload is encoded, but Google still picks up on it as dangerous.
My guess is that there are two major components that go into a workbook’s malicious score:
The output from Empire’s one-click macro generator gives the following code:
- Macros that trigger on “workbook open”
- Macros that contain the string “powershell”
I was able to take care of the second indicator by simply splitting up the word PowerShell! By splitting the string across separate lines, Gmail no longer detects this word to categorize it as malicious.
For maximum compatibility, I also saved it as a 2003-2007 workbook (.xls) to avoid the scary-sounding .xslm extension.
After making these quick and easy changes, I had no problem getting a great inboxing rate on many different email servers. Make sure that you check your filtering rules to see how easy they are to bypass!
A snippet of undetected malicious macro looks like
Source:SecureState