Most people think of document macro based malware as a thing of the past. Back around the year 2000, macro based malware such as Melissa and ILOVEYOU wreaked havoc on the Internet. Anti-virus vendors responded accordingly and it appeared that the threats were large mitigated at that time. However during the first part of 2014- vendors such as Cisco (senderbase), and Sophos have documented a rise in document macro-based malware. This talk will initial present metasploit's visual basic payloads, and speak to evasion techniques that be used for effective A/V bypass with a memory based thread creation macro. The talk will then demonstrate techniques of combining powershell scripts with MS-Office document macros- and detail the research used to completely obfuscate all details of the resulting malware based macro. An automatic document macro generation tool will also be demonstrated. Samples of targeted phishing documents will also be shown.

Back to Derbycon 2014 video list