Deploying the malicious payload
Assaf Reich
Hello, world! Assaf here once again, picking up where we left off in the first part of this series – OSINT reconnaissance. In this article I’ll demonstrate how we can use what we learned about our target, Eric Blum, to hack his computer and steal his personal data.
Intro to Phishing
As we established in the first part, our victim is Eric Blum. We know his email address, workplace and social accounts, more than enough to launch a Spear-Phishing campaign against him.
But first, what is Phishing?
Phishing is a type of cyberattack that uses a fake platform (emails, SMS, zoom call, a website…) to masquerade as a legitimate source and steal user data or gain system access.
While phishing is one of the simplest cyberattacks, reminiscent of snake oil salesmen and traveling conmen, phishing is still prevalent to this day.
For example, even as I’m writing this, I have on my phone many fraudulent SMS messages cosplaying as my credit card company trying to get me to click on their malicious URL and enter my credit card details, which will inevitably end up on the dark web. Unfortunately for the patient hackers, I won’t be falling for their scheme, mainly because they used the wrong credit card company. But what if the attacker were smarter?
This is where Spear-Phishing comes in. Unlike regular phishing, Spear-Phishing targets a specific individual or group, using personal information to make the attack more convincing.
Attackers leverage their knowledge of the victim to craft realistic-looking messages, increasing the chances of success. This tactic is often used in corporate espionage or against public figures who possess valuable information.
The bottom line is that phishing takes many forms, so we must be careful when interacting with potentially malicious platforms.
Next I’ll go over a couple of techniques attackers use in these scenarios and explain how they work.
Email spoofing
There are many methods to send email and make them appear as if they’re from a different address, this is called email spoofing.
In my OSINT article (which I recommend reading before this one), we discovered that our victim has a Spotify account, we can use this for our Spear-Phishing campaign.
To illustrate the importance of OSINT reconnaissance, consider this, if we attempted launching a phishing campaign impersonating Apple Music to steal credit card numbers, our victim will most likely ignore our email, since he doesn’t have an Apple Music account. However, by conducting proper OSINT research beforehand, we can use a Spear-Phishing attack by faking an email from Spotify, significantly increasing the chances of deceiving the target.
The question now is, how do we fake an email? In the past, with letters, you could simply write a fake name on the envelope and send it to your victim. Can we use the same concept with emails?
When we break it down, emails are files with the .EML file extension, we can see an example below –
We can see here an attempt to scam Eric into opening a shortened URL which will likely lead to a malicious website set up by the scammer. Unfortunately for the attacker, in the first row we can clearly see that the sender isn’t Spotify. In order to fix this, the attacker can manually modify this file to look legitimate, like so –
As we can see in the highlighted text, the sender is now account_manager@spotify.com. If we open this file with an email program everything will appear legitimate.
By simply modifying one line with Notepad++, we’ve significantly made our scam way more believable. After modifying the malicious file, we can send it to our victim using a simple python script using the smtplib module. This requires setting up a local SMTP server or using an online service.
Is that all that’s needed to send forged emails? While the forged email may seem finished, email communication follows the practice of Letter and Envelope to transmit messages. The letter includes the email’s body – the .EML file we edited, and the envelope contains details used to route the email – Its sender and recipient.
To fake the envelope as well, we must edit it in our python mail sending script.
We can try this out by using an online SMTP service (wpoven.com) and running our script –
And if we check the server inbox, we’ll see the forged email appear as if it came directly from Spotify, looking entirely legitimate to the victim.
The malicious forged email is now sitting in Eric’s inbox, waiting for him to open it and, hopefully, fall for the scam.
It is important to note that there are defenses against these kinds of email forgeries. Mechanisms such as SPF,DMARC or DKIM are used to check sender identity and check if the sender’s IP is authorized to send emails to the destination domain. But not all email providers will implement all of these methods, and company domain email services are more likely to still be vulnerable.
At the end of our scam email there is a shortened URL, which obfuscates the original link address. This can be easily done for free by many online services, in this case Bitly, which will supply a shortened URL that redirects to a destination of our choice. This method is commonly used by cybercriminals for simple link obfuscation.
To take over Eric’s computer, we need to supply a malicious payload that will be downloaded from the shortened URL. This next part will cover how to construct it, but for that, I’ll need a virtual environment.
Setting up my virtual environment
For this hacking demonstration, I used VMware Workstation to set up two virtual machines, attacker and victim. This was a nightmare with limited RAM by the way.
This setup allows me to use hacking practices without jeopardizing my personal computer. Our victim will be using a windows 7 machine and our attacker will use Kali Linux
Know your enemy – Kali Linux and the Metasploit framework
Kali Linux, a Debian-based distribution, is specifically designed for penetration testing. It comes pre-installed with hundreds of cybersecurity tools, making it an ideal platform for those looking to explore hacking and red teaming.
One of the most versatile tools that Kali Linux offers is Metasploit, which we will use in our attack. Metasploit is an open-source framework containing over 2,000 exploits that vary on target and payload, allowing attackers to craft attack vectors specific to their targets.
Crafting a Malicious PDF File
Once our victim, Eric, clicks on the attached URL, a PDF file will be downloaded onto his computer. This PDF will serve as the basis for the next step of the attack.
Most of us in the working world use PDFs regularly, it’s a convenient format for documents. As attackers, we aim to inject malicious code into a PDF file so when our victim opens it, we can hack their machine. There are several ways to do this.
Some of you may know that PDFs can contain JavaScript code in them that executes when opened. This feature is intended for web functionality but, in theory, can be exploited for malicious purposes, although there are safeguards in place to protect from this. For example, we can use the JS2PDFInjector Github project to inject my simple JavaScript code into a PDF.
Once someone opens the injected PDF, they will get a pop-up alert and be redirected to Cyvore’s website, which, of course, could be substituted with any malicious URL we’d choose, a lateral move at this point of the attack but still worth exploring.
While this functionality certainly can be used for malicious purposes, it does have constraints. Fortunately, we can improve our attack by using an exploit from Metasploit, with the Meterpreter shell.
The exploit in question is adobe_pdf_embedded_exe, which uses an exploit discovered in older versions of Adobe Acrobat that lets us embed an executable file in a PDF.
That executable will be reverse_tcp and as it runs, it will open a reverse Meterpreter shell to our Kali machine. Once we have a shell on the victim we have full control of the victim’s machine, all this while residing completely in memory, which makes it harder to detect by anti-viruses and SOCs.
Below, we’ll see how we craft the malicious PDF –
And once our victim opens the PDF we can run commands on their machine –
In the GIF above, we see that we have a shell on the victim’s machine. I ran some commands and got the contents of the C drive, the ARP table and even a screenshot. With this we have complete control over the machine.
Once the hacker achieves this, they can do as they please – steal documents, send fake emails or take over the entire company network.
The full attack vector
At this point, the hackers have won and have full control over Eric’s computer. Let’s go over all the steps that led to this.
1) The first step was actually the OSINT reconnaissance we went over in the first part of the series, where we found Eric’s email address and gathered useful intel to make our scam look more believable. In this step, we used tools like Sherlock, Blackbird, and The OSINT Framework.
2) Next, we started our Spear-Phishing campaign by forging an email from Spotify and using a Python smtplib script to send our message containing an obfuscated URL.
3) We used Kali Linux and the Metasploit Framework to create a PDF injected with a reverse-shell executable that will let us run commands on the victim’s computer.
4) After our victim opened the malicious email and clicked on the supplied link, our malicious PDF was downloaded, and once the victim tried to read the PDF, the vulnerability we used opened a reverse shell to our computer.
Cyvore Phishing protection
Cyvore security provides a platform that alerts when there is a suspicion of fraudulent message or possibly malicious attachments. Cyvore uses a variety of techniques to check the authenticity of received messages and examine if they’re genuine or not.
On top of that Cyvore can also analyze attached URLs using sandbox technology and flag malicious attachments and links.
Even the phrasing in the message will be analyzed to detect leading or unusual sayings for those types of messages.
The attack scenario shown above will not be possible against a Cyvore protected domain.
Closing remarks
I really hope you all enjoyed reading this article. The phishing techniques we went over vary in complexity and likelihood of success, but I think they’re worth learning nonetheless. It’s always fun to put on the black hat once in a while and see what cyber attacks are like from the hacker’s side, and I hope you learned something new!
This article is for educational and ethical cybersecurity research purposes only. Please don’t use this knowledge for unauthorized activities or cybercrimes. It is illegal and unethical.
Pretty please.
Sources and links
https://github.com/cornerpirate/JS2PDFInjector
