Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection

XnN_UWfHlNM/default.jpg

Here I describe how you can analyse a very stealthy technique to execute shellcode via Process Injection from an old-skool Excel Macro technique, known as Excel 4.0 Macros. This seems to be a technique favoured by many APT's and Red Teams given the lack of detection by lots of anti-malware technology. The sample attempts to inject shellcode which transpires to be a Cobalt Strike beacon which uses Domain Fronting to access its C2.

The sample was provided by Arti Karahoda, definitely give him a follow:
https://twitter.com/w1zzcap

The sample can be obtained from here:
https://app.any.run/tasks/e8db83aa-89...

Also, I mention a few resources in the video, as follows:

https://outflank.nl/blog/2018/10/06/o...
https://d13ot9o61jdzpp.cloudfront.net...
http://www.hexacorn.com/blog/2015/12/...

Thanks for the sample Arti! Hope you all like the video and the techniques used and hopefully this will help protect you in your own environments.

If you liked the video, hit the thumbs up. If you loved it, please subscribe.

Find Me:
https://twitter.com/cybercdh
https://colin.guru

Thanks!

Colin

XnN_UWfHlNM/default.jpg
Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection Reviewed by Unknown on November 26, 2019 Rating: 5