Cracked/Pirated software, games, game cheats are certainly a good target for hackers to hide their mischievous programs like RATs, adware, miners, etc.
The reason? Because there are many people browsing the web who are desperate to get a "pay to use" software for free of cost, or to play their favorite video game without paying, or to cheat in a game by using a cheat script written by someone else. So basically, there's a very high traffic volume for stuff like this.
So here's what a hacker can do,
Crack a software that is famous but also is quite expensive.
Attach their own RAT (Remote Access Trojan) to it.
Distribute it on the Internet for free.
So when people download this cracked/pirated version of the software, the hacker's trojan gets into their computer. Once the RAT gets into the victim's computer, everything on the computer can be stolen by the hacker.
But, what about the anti-virus program on the victim's computer? Nice question.
There are ways to get around anti-virus detection. Here's how,
Just ask the victim to turn off their anti-virus. It sounds silly, but it is actually not. Most of the people downloading pirated stuff from the Internet are ready to turn off their anti-virus protection if they were asked to. I've personally seen on many pirated software websites that the instructions to install the pirated software include turning off the anti-virus protection. Considering how desperate people are to get something for free, I'd say at least 50-70% of them would turn their AV protection off.
Using a crypter to encrypt the trojan so that the anti-virus software cannot scan it. AVs detect a file as a virus using signatures. If the file downloaded from the Internet has a similar signature to that of an already detected malicious file, then the downloaded file gets flagged as malware. Besides this, they also collect file samples automatically to analyze them. What a crypter can do is, encrypt the actual trojan with a key, and then generate an innocent-looking program called stub, which will do some random stuff (that is not malicious) when executing, but after a certain time, it decrypts the trojan with the key, loads the file into memory, and execute it. So AVs cannot detect the actual trojan immediately (this is enough for the RAT to successfully run on the victim's computer).
But every crypter eventually fails to bypass AV detection, because as I said samples are automatically collected an analyzed by the AV team, and once detected as malware, signatures are generated which will identify any other file encrypted with the same crypter as a trojan. A "never seen before" crypter with a "never seen before" stub can, however blind AV detection for quite sometime, like a day, or a week, or maybe even a month.
For the same reason, many crypters are not publicly available, they are only available on a subscription-based model, so that very few will have access to them, and hence the lesser rates of detection.
In this post, I will not be using any special crypter though, instead I will be using publicly available WinRAR's self extracting(sfx) utility, and encrypt it with a password too. But the rate of detection is high for this.
The Process
I will use a famous, open-source RAT called AsyncRat in this post. This works on Windows with a GUI. You can create your own exe RAT file with this.
I will add a port to listen to, and then configure my IP address (since I'm going to run this RAT on my virual machine, I'm using my local IP address). If you're planning to run your RAT on a computer outside your network, you need to put in your static IP address and make sure port forwarding is configured on your router.
I can even configure assembly information and the Icon for the file. I will simply clone the information of Internet Download Manager for my file. This will also give my file the icon of IDM.
So finally here is my RAT, hello.exe
Now I need to attach this with some software. Let's attach it to Internet Download Manager, a famous download manager. I'm not even attaching it to the pirated/cracked version. I will be attaching it to the legit setup file of IDM, but you can attach it to whatever you want.
I wrote a simple C code to bind two files. This is probably the lamest way to bind two files, but hey, it works. There several other efficient ways to bind two files, but I will go with this one.
I then compiled this into binder.exe
Now I will combine these three files (my rat, idm setup, and the binder) into an sfx archive.
You need WinRAR to do this.
Select the three files, right-click and choose add to archive.
Select Create SFX archive, and set a password of your choice. Choose the compression method as best.
Go to Advanced tab, and select SFX options.
Go to General, and put the extraction path as %temp%
In the Setup tab, write binder.exe in the "Run after extraction"
Go to Modes tab, select "Unpack to temporary folder" and select "Hide all" in Silent mode. You can also go to Text and Icon tab to change the icon of your file.
Now click OK, and wait for the sfx file to be created. The extension of this file will .exe
Now, compress this exe file (sfx archive) into a zip file, and also encrypt it with the password.
You can do that by using WinRAR. Just repeat the same process as above, but do not use an sfx archive, and select archive format as ZIP, and don't forget to set the password!
Setting a password on this zip file will prevent the browser or AV from blocking the download of the file. As it is encrypted with a password, there is no way for a browser or AV to extract the zip file, and scan it.
And that's it, we now have our final ZIP file!
So this is the simplest way to bind a RAT to a cracked software/game. This is not the most efficient way as many AVs will detect it as malware, but hey, I gave you a basic understanding about how it works, right?
If you liked this post, please leave a like, and a comment below!
Cheers!