LittleCorporal: C# Automated Maldoc Generator
LittleCorporal: A C# Automated Maldoc Generator
How does It work?
LittleCorporal accepts a user-supplied argument for a process to inject into a remote machine, in which you plan to execute the malicious Word document on, and also accepts a path to a local shellcode file stored in .bin formats – such as a Beacon Stageless shellcode blob on the machine you are running LittleCorporal from. So, if you would like to use the maldoc generated from this project, you will need to specify an already running process on the machine you intend to run the maldoc on (be it the local machine or a different machine. explorer.exe is always going to have one instance, so use this if you do not care about which process you inject into).
LittleCorporal embeds the shellcode and the target process name into Loader.cs, compiles Loader.CS on the fly into a .NET .exe artifact, and then utilizes thread hijacking to perform remote process injection. The .NET .exe artifact, which is the thread hijacking loader, is sent through Donut to generate position-independent shellcode, which will execute the .exe. The shellcode generated by Donut is then base64 encoded, a Word document is generated, and the final Donut blob is stored in an InlineShape.AlternativeText Word property, which is able to hold the entire payload. This is done by inserting an image (currently a blank image, giving the document a “blank” look) property into the Word document, as alternative text on the image, which contains the payload. LittleCorporal then leverages a VBA “template”, contained in this project as a text file, and injects this Macro into the newly generated Word document. The Macro is named autoopen, so it opens upon the document opening, and then is configured to extract the value of the alternative text of the previously generated image, which contains the final payload, base64 decodes it, and finally uses Windows API calls, in VBA, to perform local injection into Word. In essence, this project uses a simple “loader” in VBA to perform local injection into Word, which is a bit less scrutinized than remote process injection, and then uses execution from the simple local injection to execute the Donut shellcode, which is another loader that performs thread hijacking for the final remote process injection of the user-supplied shellcode into the user-specified process. This is all done in an automated fashion, including the generation of the Word document.