Mastering Cross-Platform Malware Creation with EvilClippy

Cyber Security
1

Mastering Cross-Platform Malware Creation with EvilClippy

In this article, we will delve into the world of malicious MS Office document creation, exploring the open-source tool EvilClippy. This cross-platform security testing tool enables users to hide VBA macros and VBA code, making it challenging for macro analysis tools to detect. We will examine the features of EvilClippy, its technical analysis, and provide step-by-step installation instructions for macOS, Linux, and Windows platforms.

Features of EvilClippy

EvilClippy is designed to create malicious MS Office documents, boasting the following features:

  1. VBA Macro Hiding: EvilClippy allows users to hide VBA macros within the GUI editor, making them difficult to detect.
  2. Confusion of Security Analysis Tools: The tool employs techniques to confuse security analysis tools, making it challenging for them to analyze the macro code.
  3. VBA Stomping: EvilClippy introduces dummy encoding VBA P-Code, which can be used to stomp VBA macros and make them undetectable.
  4. Remote Lock VBA Project Protection: The tool sets up remote lock VBA project protection mechanisms, providing an additional layer of security.
  5. VBA Stomped Template Provided by HTTP: EvilClippy provides a VBA stomped template that can be accessed via HTTP.

Tool Effect

Currently, the tool generates default Cobalt Strike macros that can bypass all major anti-virus products and macro analysis tools.

Technical Analysis

EvilClippy utilizes the OpenMCDF library to modify CFBF MS Office documents, adhering to the MS-OVBA specifications and characteristics. The tool reuses some Kavod.VBA.Compression code to implement compression algorithms and employs the Mono C# compiler to achieve perfect execution on Linux, macOS, and Windows platforms.

Installation Instructions

macOS and Linux

To install EvilClippy on macOS and Linux platforms, follow these steps:

  1. Install Mono on your system.
  2. Run the following command:
mcs /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs
  1. Run EvilClippy:
mono EvilClippy.exe -h

Windows

To install EvilClippy on Windows, follow these steps:

  1. Install Visual Studio on your system.
  2. Enter the following command at the Visual Studio developer command line window:
csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs
  1. Run EvilClippy:
EvilClippy.exe -h

Tools and Options

EvilClippy provides various tools and options, including:

  • Displays help information: EvilClippy.exe -h
  • Hides VBA macros in the GUI editor: EvilClippy.exe -g macrofile.doc
  • Performs VBA Stomping (P-Code dummy encoding): EvilClippy.exe -s fakecode.vba macrofile.doc
  • Sets target Office version information for VBA Stomping: EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc
  • Sets the random module name (confuses Security Analysis Tool): EvilClippy.exe -r macrofile.doc
  • Provides a VBA stomped template by HTTP: EvilClippy.exe -s fakecode.vba -w 8080 macrofile.dot
  • Sets up remote lock VBA project protection: EvilClippy.exe -u macrofile.doc
  • Unprotects the VBA project: EvilClippy.exe -uu macrofile.doc

Project Address

EvilClippy can be accessed at: GitHub - outflanknl/EvilClippy: A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.

Reference Material

  1. Recordings of our DerbyCon and BruCon Presentations
  2. VBA Stomp
  3. PCodedMP

Disclaimer

This article is intended for technical discussions only and should not be used for illegal purposes.