The ASEC analysis team has recently discovered the distribution of a RAT Tool disguised as a solution file (*.sln) on GitHub. As shown in Figure 1, the malware distributor is sharing a source code on GitHub titled “Jpg Png Exploit Downloader Fud Cryter Malware Builder Cve 2022”. The file composition looks normal, but the solution file (*.sln) is actually a RAT tool. It is through methods like this that the malware distributor lures users to run the RAT tool by disguising it as a solution file (*.sln). Generally, programmers who receive the code that includes the solution file run the file in order to open the project. Users should take caution against social engineering techniques that take advantage of such a thought process.
If you download the files shown above, you will receive the following files as shown in Figure 2. In Figure 2, the feature ‘Hide extensions for known file types’ was disabled. Users should be cautious of a file with a solution file (*.sln) icon as it also has a name similar to the solution file. This malware was created to prompt users to run it, but you can tell that it is actually a screen saver if you look at the malware type. In a Windows environment, .scr is an extension that can be run. Therefore, running the file will infect your system with malware.
The malware disguised as a solution file used a cryptor to change its appearance and avoid detection. Once executed, it is injected into a normal Windows program such as AppLaunch.exe, RegAsm.exe, and InstallUtil.exe, ultimately running a RAT tool.
As for how the extension appears as a solution file (*.sln) in GitHub and Windows Explorer, compressing the file gives us the answer: the file uses the ‘RIGHT-TO-LEFT OVERRIDE’ unicode string (see Figure 4).
Similar cases have been occurring with more frequency on GitHub, which has recently been getting a lot of traffic. Malicious malware distributors are disguising their malware as solution files (*.sln) and making them seem like source codes. Users should therefore be cautious when viewing files from unreliable sources. Also, they must keep their anti-malware software updated to the latest version.
AhnLab V3 detects and blocks the malware strains using the aliases below.
- Trojan/Win.Leonem.C5218555 (2022.08.04.00)
- Trojan/Win.Agent.C4526491 (2021.06.30.03)
- HackTool/Win32.Vbinder.R12127 (2015.02.14.01)
- Trojan/Win.SmokeLoader.R510280 (2022.08.12.04)
- Trojan/Win.MSILZilla.C5129545 (2022.05.15.02)
- Trojan/Win.Generic.C5198415 (2022.07.08.03)
- 0cfa5f7c008e3dc2df275a99aef9cbbb // Jpg Photo Exploit Projnls..scr
- 98d7999986d63fbd914bddc3d7b7ecf9 // Venom Control Clientnls.
- 9a01d2f0aad78bcc4a4ca07552154ee1 // Jpg Photo Exploit Projnls.
- 9fd996ce42d667ba01c902124bf95f6d // Discord Image Token Grabbernls.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.