ASEC analysis team has found a malware that is being distributed in Korea, a malware disguised as Shincheonji-related. On the surface, the filename of the distributed files appears to be .xlsx (excel) or .ppt (powerpoint) document file, but that is due to utilization of RLO (Right to Left Override) method, which makes the filename to be shown in a different format *.scR. The actual extension of the malware is *.scr.
Distributed unicode RLO-modified malicious files
- Shincheonji Church of Jesus Emergency Contacts (1).Rcs.xlsx)
- Shincheonji Church of Jesus Temple of the Tabernacle of the Testimony Headquarter Public Relations Division Media Press Team Assistant Organization RCS.ppt)
– Shincheonji Church of Jesus Emergency Contacts (1).xlsx)
– Shincheonji Church of Jesus Temple of the Tabernacle of the Testimony Headquarter Public Relations Division Media Press Team Assistant Organization.ppt)
The analysis is based on the excel file.
Once the file runs, the normal excel file runs together, making it difficult for the user to recognize that the malware is running on the user PC.
A normal document file is created in the same file path as the executable, and the file is run by VBS that was created in the %TEMP% directory.
3 files created in the %TEMP% directory perform each feature below:
- %TEMP%\[random1].vbs: Run normal .xlsx file
- %TEMP%\[random2].vbs : Delete *.scr file
- %TEMP%\services.exe: Backdoor malware
services.exe backdoor is added to a registry key below so that it runs even after the reboot.
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mismyou “C:\Users\vmuser\AppData\Local\Temp\services.exe”
Backdoor features include: sending process list, computer name, and OS version info, running and exiting files, downloading additional files, etc.
This backdoor was confirmed to be Bisonal malware. Bisonal has been attacking Korean organizations and companies since 2011.
AhnLab’s V3 products detect the malware under the following aliases:
- Backdoor/Win32.Bisonal (2020.03.05.04)