قالب وردپرس درنا توس
Home / Tips and Tricks / How to Make an Undetectable Payload, Part 2 (Hiding the Payload) «Null Bytes :: WonderHowTo

How to Make an Undetectable Payload, Part 2 (Hiding the Payload) «Null Bytes :: WonderHowTo



Once a hacker creates a PowerShell payload to bypass antivirus software and set up msfconsole on its attack system, they can disguise their executable file to make it appear as a plain text file. This gives a Windows 10 user the ability to actually open the payload without knowing that this is the case.

The Unicorn-generated PowerShell payload works as expected on the Windows 10 target computer. It creates a reverse HTTPS connection back to the attacker's Kali setup while actively bypassing Windows Defender and Avast antivirus detections. That's all great, but the real challenge is getting the Windows destination user to run the code on his computer.

To accomplish this, some things can be done to the PowerShell payload before it is sent to the victim. The payload must be converted to an executable Windows file (EXE). The icon (ICO file) must also be changed to look like a regular text file. The biggest red flag that the fake text file is actually an executable file is the file extension. Some Windows users disable the Hide Existing Known File Types option to protect against file extension spoofing attacks. In this article I will show how to spoof the file extensions ̵

1; even with added file extensions.

For readers who may have skipped the first part of this article, here is the GIF showing again the real and wrong text files Side:

The file on the left is a real text file. The file to the right is the PowerShell payload, which was designed to open Notepad before running the PowerShell payload.

Step 1: Save the PowerShell Payload

The following steps require a Windows operating system. I recommend using a Windows 10 Virtual Machine (VM) in VirtualBox

On Amazon: VirtualBox Guide for Beginners

Before you go further, the previously created PowerShell Payload should be moved to the Windows system are saved as payload.bat with Notepad or a favorite text editor. The payload.bat file is manipulated to appear as a plain text file in the following steps.

Step 2: Download the Windows 10 Icons

Windows 10 icons must be downloaded to begin converting the payload.bat file into a fake text file. These icons are used to fake the file icon. You can download the Windows 10 icons with git clone & # 39; https: //github.com/B00merang-Project/Windows-10-Icons' .

 git clone & # 39; https://github.com/ B00merang Project / Windows 10 Icons & # 39;

Cloning in & # 39; Windows 10 icons & # 39; ...
remote: counting objects: 3495, done.
remote: Total 3495 (delta 0), reused 0 (delta 0), packet reused 3495
Receiving objects: 100% (3495/3495), 14.69 MiB | 294,00 KiB / s, finished.
Resolution deltas: 100% (393/393), done.
Verify connectivity ... complete. 

This repository may not contain exact replicas of the built-in Windows 10 icons, but appears close enough and will work well for the purposes of this article. If readers are able to design icons or find better icons online, I agree to their use.

I use text-x-generic.png in the Windows 10 icons / 256×256 / mimetypes / directory, but PNG continues to work.

Step 3: Convert the PNG to ICO Format

The PNG must be converted to the Windows ICO symbol format. This can be done with online tools like ConvertICO. Simply upload the desired PNG to the website and it will reproduce it in ICO format. Save the new ICO with the filename fakeTextFile.ico .

Step 4: Install BAT2EXE

I have presented BAT2EXE (B2E) in an article. This is a great tool for converting BAT files into Windows executables.

To download B2E, users must use crypto-currency on the site for several minutes to download their free software . If you want to support the B2E developer, go to the download page and access the latest B2E software. Otherwise, readers can use my mirror on a slightly older version of B2E.

Using my GitHub mirror, visit the following URL in Windows to download B2E:

 https://github.com/tokyoneon/B2E/raw /master/Bat_To_Exe_Converter.zip

Use the download and run the file "Bat_To_Exe_Converter_ (Installer) .exe" to install it.

Step 6: Trojanize the Payload

Then add the word "notepad" to the top of Payload.bat and click on "Save". This opens the Notepad executable file on the Windows computer before running the PowerShell payload. This will make the target user believe that the file he just clicked on is actually a legitimate text file.

Now there is a lot that can be done to convince someone that the file is legitimate. For example, if Notepad is the default text editor, it may be suspicious that this one file opens the editor when other text files are opened Notepad ++, a popular third-party text editor. So it might be desirable to improve the BAT to open a standard program instead of Notepad. Opening a blank editor when the file is reported with a size of 12 KB may also be suspicious. Therefore, searching for text or troubleshooting the EXE to first download an actual text file can improve the effectiveness of such attacks. 19659002] For the sake of simplicity, I continue as it is, with the BAT opening a blank note pad. This will hopefully show how easy it is to create Trojans and get the readers on the right track to tailor this attack to their individual needs.

Step 7: Convert & Export the Payload

Check the "Icon" option to enable it and import the fakeTextFile.ico icon created in the previous step using the "…" button. Then change the exe format to "64-bit Windows | (Invisible)" to prevent terminals from being displayed by the target user when the file is opened.

Click the "Convert" button to create the EXE, and save the filename as fake.exe .

After the fake.exe file is saved to the desktop and placed next to a real text file, readers may see a thin red line in the wrong icon displayed text file icon. This can be easily resolved by using a better Windows 10 icon set or by using a different spoof file type.

Step 8: Spoof the File Extension with Unicode

The bigger problem is the file extension. The Hide Existing Known File Types options in File Explorer options does not hide file extensions from the Windows operating system. To work around this, use a Unicode character named " Overwritten from right to left" (RLO) to reverse the order of the characters in the file name. This is important to understand because the characters are not actually reversed as Windows reverses the characters. Windows still recognizes the file extension as EXE.

As seen in the above GIF, the invisible RKE character is between the filename ("fake") and the fake file extension ( "txt"). All the RKE character does is the order in which the characters appear in the file name. Unfortunately, the "exe" must remain in the fake filename.

How to Protect against File Extension Spoofing Attacks

Since our entire goal here was to create an unrecognizable payload, antivirus software is not really a good option to protect against this kind of file extension spoofing attacks ,

One thing you can do is just zoom in when you look at files downloaded from the Internet. In our case above, you will not be able to tell at first glance that the icon does not match other text files, but on closer inspection you will see that something is lazy.

If you are suspicious of a file or its source try to rename it. Be careful not to double click on it. Instead, right-click the file and choose Rename from the context menu. When Unicode is used, renaming the file of characters found on standard keyboards removes the Unicode, indicating its true extension.

And until next time you can find me in the Darknet.

Do Not Miss: Creating a Fake PDF Trojan with AppleScript for macOS Users

Title image by Justin Meyers / Null Byte; Screenshots of tokyoneon / zero byte

Source link