SASFIS Malware Uses RLO Technique
Background of the Attack
In a
recent spam run, TrendLabsSM engineers came across samples
of spammed messages using the right-to-left override (RLO) technique. The RLO
technique, which was more commonly associated with spamming in the past, has
now become a new social engineering tactic.
How do
users get this Web threat?
It
arrives via a spammed message with a .RAR file attachment. Extracting the
compressed file reveals what appears to be an .XLS file. In reality, however,
the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops a file
detected as BKDR_SASFIS.AC, which allows threads to be
injected to the normal svchost.exe process.
What
happens once the threat gets inside computers?
Once
users extract the compressed .RAR file on their systems, the extracted file
detected by Trend Micro as TROJ_SASFIS.HBC is installed on the affected system.
The said file appears to be an MS Excel file named as (phone&mail).[U
202e}crs.xls. Its real file name (minus the Chinese characters) is (phone&mail).[U
202e}slx.scr, wherein U 202e is the Unicode control character that tells
the system to render succeeding characters from right to left. This technique
is known as right-to-left override (RLO) technique.
Because
of the RLO technique, users see an .XLS file instead. This could lead them to
believe that the file is indeed an MS Excel file and thus “safe” to open, when
in reality it is an executable .SCR file.
How are
users affected by this threat?
Using
the RLO technique, this Trojan is able to conceal its actual filename and
disguise itself as a legitimate and seemingly harmless file, such as an .XLS or
a .TXT file. For instance, it may use the filename I-LOVE-YOU-XOX[U
2020e]TXT.EXE and after applying RLO, the system renders its filename
to be I-LOVE-YOU-XOXEXE.TXT.
What is
the driving force for this threat?
SASFIS
was created by cybercriminals to facilitate the propagation of other malware,
particularly botnets such as ZBOT and Bredolab. It is part of an organized
affiliate program wherein various underground organizations partner in to
support their goal of scamming users and gaining profit in the process.
Using a
new technique to propagate the malware could therefore lead to an increased
number of infected users.
What is
different in this attack?
Early
this year, SASFIS variants became notorious in relation to spoofed email
messages purportedly from Facebook. In the new spam run, cybercriminals
use the RLO technique to deceive users into opening the malicious file. When
users see a familiar file name extension such as .XLS, they would most likely
think that the file is safe enough to open.
How do
affected users remove this threat?
To
remove TROJ_SASFIS.HBC from their systems, users may use the Trend Micro manual removal instructions. Users may also
follow the manual removal instructions for BKDR_SASFIS.AC.
Are
Trend Micro users protected from this threat?
Yes.
Solutions supported by the Trend Micro™ Smart Protection Network™ block
the spam used by this botnet to infect users via Email Reputation Technology.
It can detect and prevent the execution of the malicious files detected as
TROJ_SASFIS.HBC and BKDR_SASFIS.AC via File Reputation Technology.
What
can users do to prevent this threat from entering computers?
Users are highly advised to follow safe online computing
habits, such as scanning email message file attachments with security software,
opening attachments only from known or expected sources, deleting all unwanted
and suspicious messages without opening, and using security software and
running real-time scan when surfing the Web.
Non-Trend Micro users can also stay protected via HouseCall,
a free tool that identifies and removes all kinds of viruses, Trojans, worms,
unwanted browser plug-ins, and other malware from affected systems.