Luckystrike is a dangerous and easy to use PowerShell generator that creates malicious .xls documents infected with various payloads.
Luckystrike Provides a Lot of Options
The program is based on PowerShell, Microsoft’s own scripting and configuration shell similar to Bash and Sh on Unix and Unix-like operating systems. It allows users to craft customized malicious files, at the moment only .XLS documents are supported, however .DOC files are going to be supported soon. All predefined payloads are stored in a database which makes it easy to manage large projects. The generator also gives criminals the ability to choose from a variety of infection methods. This makes execution of the malware more likely to execute while evading the software security solutions and other counter measures.
Luckystrike is a self-contained Powershell script which uses an SQLITE database for storing and managing the payloads, code block dependencies, and sessions.
All you need to get started with Luckystrike are the following:
- Powershell Version 5 – The script runs under the shell
- Microsoft Office – The tool uses the Excel COM objects to generate the malicious documents
- The Powershell PSSQLITE Module – If this component is not found on the system the tool will try to install it
Luckystrike allows the malicious users to use three different types of payloads – shell commands, PowerShell scripts, and executable files. All of them are stored in the tools’ SQLITE database that can be used shared with other users.
The generated file can use one or many payloads and multiple infection types.
- Shell Commands – The shell commands run via PowerShell or the Windows cmd.exe and do not pop up or advertise their appearance to the user. They are very likely to get caught by anti-virus software.
- Metadata Infection – The payload is inserted into the metadata of the malicious file in the Subject field. The one line method is used to execute a macro. This attack exhibits a low detection rate by security software and relies on social engineering the user into activating the macro.
- CellEmbed PowerShell Script – Embeds a base64 encoded script into cells organized into chunks. A legend string is bundled with the payload to make it possible to reconstruct it at runtime. The payload itself can be inserted anywhere on the sheet. However the minimum location is row 100 and column 150. The payload is saved to the C:\users\userid\AppData\Roaming\Microsoft\AddIns location as a .txt file. The macro reads the file and the launches the PowerShell script.
- CellEmbedNonBase64 PowerShell Script – The same as above however the payload is not base64 encoded. The script reads directly from the modified cell and launches the payload via PowerShell without making any operations on the disk itself.
- CellEmbed-Encrypted PowerShell Script – The user is prompted to enter the target’s email domain name. Luckystrike will then encrypt the ps1 file with the string prior to embedding. The macro code retrieves the user’s email address from the Active Directory and decrypts the payload before running. This is useful because the anti-virus software cannot decrypt files on its own.
- Certutil Executable Infection – Embeds a base64 encoded binary file into the cels and then saves the output as a .txt file to disk. It uses certutil to decode the payload, save and then run it is an executable file.
- Save To Disk Infection – The executable payload is saved to the local disk and then run.
- ReflectivePE Infection – The executable payload and a copy of Invoke-ReflectivePEInjection are saved to the local disk as txt files. The executable is run using the Reflective PEInjection.
- ReflectivePEInjection is used to either reflectively load a DLL/EXE to the PowerShell process or to a remote process.
To download or learn more about Luckystrike visit its GitHub page.