Embed A Malicious Executable in a Normal PDF or EXE
DISCLAIMER: Using these tools and methods against hosts that you do not have explicit permission to test is illegal. You are responsible for any trouble you may cause by using these tools and methods.
About malicious executable
what is malicious executable?
A malicious executable refers to a program or file that is specifically designed to perform harmful actions on a computer system or network. These actions can range from stealing sensitive information, disrupting system functionality, or providing unauthorized access to the attacker.
Malicious executables often take the form of:
Viruses: Self-replicating programs that attach themselves to other executable files or documents, spreading from one system to another.
Worms: Similar to viruses but capable of spreading independently across networks without the need for a host file. Worms can exploit vulnerabilities in network services to propagate.
Trojan Horses (Trojans): Programs that appear harmless but contain malicious code. They deceive users by pretending to be legitimate software or files.
Ransomware: Malicious software that encrypts a user's files and demands payment (usually in cryptocurrency) for their release. Ransomware is designed to extort money from victims.
Spyware: Software that secretly gathers information about a user or organization without their knowledge. This can include keystroke logging, capturing screenshots, or monitoring online activities.
Backdoors: Programs or methods that provide unauthorized access to a system, allowing attackers to control the system remotely.
The creation and distribution of malicious executables are typically associated with cybercriminal activities. Protecting against such threats involves implementing robust cybersecurity measures, such as using antivirus software, keeping software up to date, practicing secure browsing habits, and employing network security protocols. Regular system audits and penetration testing can also help identify and address vulnerabilities before they can be exploited by malicious executables.
Malicious executables can cause a variety of issues on computer systems and networks. Here are some common problems associated with the presence of malicious executables:
1. Data Theft.
2. System Disruption.
3. Ransomware Attacks.
4. Unauthorized Access.
5. Network Spread.
6. Botnet Formation.
7. Privacy Violations.
8. Financial Loss.
9. Reputation Damage.
Protecting against these issues involves implementing strong cybersecurity measures, including using antivirus software, regularly updating software and systems, employing network security protocols, and educating users about safe online practices. Additionally, performing regular security audits and penetration testing can help identify and address vulnerabilities before they are exploited by malicious executables.
Embed A Malicious Executable in a Normal PDF or EXE
Step:1
we’re going to show how to create a malicious executable that looks like a PDF, word doc, or web browser executable with the functionality of the normal file/program, but also our embedded malicious executable. To do this, we are going to use WinRaR.
We’re going to assume we already crafted our malicious executable that will do something on the victim host or send us a reverse shell. The following are the steps for creating our file that looks legit:
Find an icon PNG for what you want your malicious executable to look like using https://iconfinder.com. In this example we are using chrome, but you can search any file type logo. Click ‘Download PNG’.
.png)
Step:2 Covert the icon PNG to a .ico file using https://iconconverter.com. Upload the previous PNG and click ‘Convert’.
.png)
Step:3 On your desktop select and right click the real chrome browser exe (in my case) and the malicious executable and select ‘Add to Archive…’ to create combined archive.
.png)
The Archive file name is just going to be chrome.exe to look legit. Make sure ‘Create SFX archive’ is checked.
.png)
Click Advanced > SFX options > Setup and input the following:
.png)
Enter test.exe (your malicious exe) and legitimate chrome.exe (program to open after executing malicious exe)
.png)
.png)
Input file icon
.png)
Step:4 After entering the above parameters, click ‘ok’ and the archive called chrome.exe will pop up on the Desktop with the correct chrome icon. Double clicking on chrome.exe will execute my malicious executable and also open a browser tab like normal. Nothing else is needed to bypass Defender when executing our exe with another non-malicious exe so the job is done.
.png)
Step:5 (OPTIONAL- If using another file type other than exe like PDF) We are going to use Right-To-Left-Override (RTLO) to change the created archive to look like a PDF on the desktop but execute as an EXE. Right-To-Left Override (RTO or RTLO) is a Unicode non-printing character used to write languages read in the right-to-left manner. It takes the input and literally just flips the text the other way round.
Let’s change the file name to something that would look semi-normal flipped around like Reflexe.pdf. We will insert our Unicode so that it looks like Refl[Invisible Unicode stuff]exe.pdf on the victim desktop, but is actually Refl[invisible Unicode stuff]fdp.exe.
.png)
Step:6 Open the Character Map app on Windows and check the ‘Advanced View’ box. In the ‘Go to Unicode’ option, type in 202E. Hit the ‘Select’ and ‘Copy’ buttons respectively and edit the file name of the WinRaR archive we created. You enter the file name Refl[CTRL+ v]fdp.exe and then go back and paste the Unicode where specified. The file should then change to Reflexe.pdf as soon as you hit paste.
NOTE : But we have a problem — Because this is a known file type (.pdf) that is initiating an executable, it is flagged by windows defender very quickly.
.png)
Step:8One way to get around this is using Homoglyph’s. At the end of the day, we only want this to look like a PDF to the user, so how likely is that they’ll catch that one letter looks alittle different? I used this resource to manually test what Defender would flag:
https://www.irongeek.com/homoglyph-attack-generator.php?source=post_page-----81ee5339707e--------------------------------
I focused on the letters p, d, and f to see if I could swap any out that wouldn’t be noticed and I found this variation of ‘f’ that looked suitable. I swapped the Homoglyph ‘f’ with the normal ‘f’ in the name Reflfdp.exe and then inserted the RTLO right before it like before to create Reflexe.pdf which should give a different signature to defender:
.png)
Homoglyph ‘f’
.png)
File name with fake ‘f’ vs File name with real ‘f’
Step:9 Sweet, you can’t (I cant..) tell the difference by looking at it! With my new .pdf extension, Windows Defender actually started a scan before the pdf opening, let it open, and then quarantined my PDF file acouple seconds later. However, this was after my malicious executable initiated the reverse shell. In my case, I receive a netcat shell through Villain on my attacker machine:
.png)
Now we just social engineer the victim to download and open this Reflexe.pdf or chrome.exe on their Windows host. I hope you enjoyed this !