Spoofing the backdoor extension is a critical social engineering technique used to disguise a malicious executable file as a harmless document or media file, making it more likely to be opened by a user. This method exploits the fact that Windows, by default, hides known file extensions, allowing a file named payload.txt.exe to appear simply as payload.txt. To implement this technique, first generate your undetectable payload using the Veil Framework as described in previous steps. Once the executable is generated and located in the output directory, you can proceed to rename it to incorporate a double extension or a misleading name. A common approach is to rename the file to something innocuous, such as Annual_Report.pdf.exe, which will likely appear as Annual_Report.pdf on the target machine.
For a more advanced and effective method, you can use the Right-to-Left Override character to visually reverse the extension, making a file appear completely different from its actual type. For example, to make a file named payload.exe appear as a text document, you can rename it to payloadgnp.exe and insert the Unicode character U+202E between the ‘p’ and the ‘e’. This character reverses the display order of the subsequent text, causing the file to look like payload.txt on the user’s screen, while the actual operating system still recognizes it as an executable. Alternatively, changing the file icon to match the spoofed extension, such as using a PDF icon for an .exe file, significantly increases the likelihood of success.
After renaming and modifying the icon, you must ensure that your Metasploit listener is prepared to catch the connection when the user executes the file. Open msfconsole, configure the multi/handler, and set the payload, LHOST, and LPORT to match the settings used in Veil. When the user clicks on the spoofed file, the malicious code will execute in the background to establish a session, while the user remains unaware because they believe they have simply opened a standard document or image.
