Wednesday, 26 February 2014

Remotely install a spy program with redpill Agent

We previously explained how to install spy software remotely in our article: How to remotely install spy software. This article used redpill Detective for the spy program and Wordpad as the delivery method. Some of our customers requested that we post an article on how to install remotely using redpill Agent as the spy program with a different delivery method. 

Instructions on how to install with redpill Agent:

Before we begin ...
  1. It is important to remember that no covert (secret, without the user knowing about the installation) remote installation is guaranteed. There are many factors that can cause an installation to fail including the type of operating system the user is using, the anit-virus he is using and if he has an additional two-way firewall installed.
  2. The success of your installation has a lot to do with your ability to convince the target (user you want to monitor) to open the attachment even if he gets a warning that the program is unknown and potentially malware … we will explain how to do this.
  3. Please do not use redpill Agent illegally and always respect people's privacy. Redpill Agent is intended as a tool for legal ethical hacking like penetration testing. 
Step 1: Choose your cover

The target will receive an email with an attachment. He/she needs to open the attachment and run the program (cover application) inside the attachment. It is there for very important that you choose the correct cover application to send the target and convince the target to run the cover application using social engineering

redpill Agent has several cover applications to choose from and even allows you to create your own.  A cover application is an application that gives the impression of doing something while it is actually busy installing the spy program.

It is also important to try and get some information about the target. Let's say we know the target is a self employed contractor who recently did some work for a company called 'The Company'. We will use a cover that the The Company's server was infected with a virus and everyone who received an email from them should 'clean' their computers with a Virus Removal Tool that they will receive from The Company.

Step 2: Create your cover application (Instal module)

Log into your redpill Agent account and select your cover application. As we want to use a virus removal tool we will choose the closest one to that … the Trojan Removal Tool. 

We will now change some wording and the filename so that it will better work for our virus removal tool. You could use a virus name that is currently in the news. For this example we will call the virus XXX and make changes to the cover application settings as below:

That's it. Now just click on 'Download Install Module'.

Step 3: Choose your delivery method

Most email service providers do not allow you to send an executable (exe) as an attachment. You can send the attachment as a link or embed the file into a Wordpad document. For this example we will use a rar file.

You use WinRar to create the rar file. A rar file is similar to a zip file. You need to add a password to the rar file. The reason for this is to reduce the risk of detection by the service email provider like gmail and anti-virus software.

For a password choose something easy as you will need to give it to your target. For this example we used 'xxx'.

Step 4: Email the target

Remember, you need to convince the target to run the attachment. Click on the image below and read the email to see how we used social engineering to convince the target not only to run the attachment but even ignore any warnings he might get!

As your social engineering skills improve you can even convince the target to disable his anti-virus. Remember to tell the user what the password of the rar file is.

Step 5: Monitor the target

You will now start to receive screen-shots and key logs of what the target is doing on his computer. 

For more information on redpill Agent visit: