Backdoors embedded along side installers
What is PyInstaller and why do we need it?
PyInstaller is basically a binary that includes bundled within: python, your python dependancies, your python scripts, as well as any other binaries (.exe or .dll) that you would like to include. You may also link in an icon resource on build. Why do I use PyInstaller? Because it’s commonly enough used that it won’t be flagged itself as a virus or as malware, but I can still pack inside malicious code.
What malicious code
A legitamite installer or program can be any piece of compiled code (al la: into an .exe) that is not
related to this project’s code can be imported in and executed at the same time my reverse shell starts.
The malicious code does it’s business in the background, forking off as another process and copying
itself to a new loocation, while the user is using the installer or program as normal, with no knowlwdge
of the backdoor that is about to pop back through the firewall connecting “outbound” towards a netcat
lisener. While this is happening, a registry key is created which enters our reverse shell into the
system’s Administrator level startup chain. It’s easy to spot if you know what you are looking for,
but genearlly, this will be persistent long enough that you can allot yourself a couple mistakes and still
have access to the machine (not get locked out). If you happen to get disconnected, kill then restart the
netcat listener per:
(change the port as necessary), and within a couple seconds
the reverse shell loops back aroun and fires off another connection request towardsd your listener
with another Administrator shell.1
nc -l -p 7777 -v
The shell’s code
This isn’t particularly interesting shellcode, howver it is handy. I recommend editing it to your use case in Notepad++ because things like the attacker host and port are hard coded.
The packed loader
Build
Then all you need to do is build the project with:
Then run the .bat and send it on it’s way to be picked up by an unsuspecting computer user.
The End
In the end this is pretty evil code and should never be used against a target. Seriously, under any circumstances, ever. It looks benighn and totally comromises a machine while hiding it’s existance and persistently opens connections to pwn the machine.
Do. Not. Abuse. This. Code.
If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qq7vvwfe7760s3dm8uq28seck465h3tqp3fjq4l
Thank you so much and happy hacking!