Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE)

In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions, with its distribution still being continued to this day.

RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github

As of November 30th, 2022, when the keywords based on the last blog post are entered in GitHub, 304 commit results are shown. Multiple cases of malware were registered as normal codes through a handful of accounts, and some even had everything unchanged except for the newly uploaded malware disguised as solutions.

Figure 1. Search results of filenames disguised as ‘sln’ on GitHub

According to the results identified using AhnLab’s ASD infrastructure, methods that used RTLO included compressed files, test files, and video files, as well as those disguised as solutions (.sln). The most prevalent distribution method was the disguise as pornographic videos and films, which included names such as SCR.pm4, scr.vkm, and scr.iva. We also found that files such as exe.rar disguised as utility programs were also distributed through torrents.

Figure 2. Malware with its filename disguised as rar, distributed through torrents

As seen in the figure above, the malware being distributed with its filename disguised as a software crack seemingly has its extension as ‘rar,’ but its actual extension is ‘exe.’  The icon has also been designed to imitate a compressed file for a more successful disguise. On top of that, the file is listed as an “Application” instead of an RAR file, making it hard for users to recognize it as an executable if they do not pay close attention. The actual format of the malware is a portable executable, containing the malware and a compressed file.

The malware injects itself to a normal process to receive and execute additional malware, with its identified loaders including Laplas Clipper and Redline Stelaer. Redline Stelaer is an Infostealer that has been addressed in ASEC blog several times, while Laplas Clipper is a malware that targets cryptocurrency users and changes their wallet addresses to the attacker’s when they are found in users’ clipboards.

Figure 3. The regular expression of cryptocurrency wallet address

Bitcoin (BTC) (1[1-9A-HJ-NP-Za-km-z]{33})
Bitcoin (BTC) (3[1-9A-HJ-NP-Za-km-z]{33})
Bitcoin (BTC) (bc1q[023456789acdefghjklmnpqrstuvwxyz]{38,58})
Bitcoin Cash (BCH) (q[a-z0-9]{41})
Bitcoin Cash (BCH) (p[a-z0-9]{41})
Litecoin (LTC) (L[a-km-zA-HJ-NP-Z1-9]{33})
Litecoin (LTC) (M[a-km-zA-HJ-NP-Z1-9]{33})
Litecoin (LTC) (ltc1q[a-km-zA-HJ-NP-Z1-9]{38})
Ethereum (ETH) (0x[a-fA-F0-9]{40})
Dogecoin (DOGE) (D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})
Monero (XMR) (4[0-9AB][1-9A-HJ-NP-Za-km-z]{93})
Monero (XMR) (8[0-9AB][1-9A-HJ-NP-Za-km-z]{93})
Ripple (XRP) (r[0-9a-zA-Z]{33})
Zcash (ZEC) (t1[a-km-zA-HJ-NP-Z1-9]{33})
Dash (DASH) (X[1-9A-HJ-NP-Za-km-z]{33})
Ronin (RON) (ronin:[a-fA-F0-9]{40})
Tron (TRX) (T[A-Za-z1-9]{33})
Steam Trade URL (http[s]*:\/\/\/tradeoffer\/new\/\?partner=([0-9]+)&token=([a-zA-Z0-9]+))
Tezos (XTZ) (tz[1-3][1-9A-HJ-NP-Za-km-z]{33})
Cardano (ADA) (addr1[a-z0-9]+)
Cosmos (ATOM) (cosmos1[a-z0-9]{38})
Ripple (XRP) (R[a-zA-Z0-9]{33})
Uncategorized ([A-Z2-7]{58})
Uncategorized ([1-9A-HJ-NP-Za-km-z]{44})

Table 1. Cryptocurrency wallet addresses sorted by regular expressions

The malware downloads the above regular expressions and examines the clipboard to find any data that can be mapped to the expressions. When such data is found, its value is changed to the attacker’s address. The regular expressions are downloaded from the website below, and we can see that the author of the malware is still active, operating the website to this day.

Figure 4. Website run by Laplas Clipper

Users must stay alert for programs that cannot be trusted. Also, they must keep their anti-malware software updated to the latest version.  AhnLab V3 detects and blocks the malware strains using the aliases below.

[File Detection]

  • Trojan/Win.RTLO.X2172 (2022.11.29.00)
  • Dropper/Win.Agent.C5317732 (2022.11.30.03)
  • Trojan/Win.Injection.C5313120 (2022.11.24.03)
  • Trojan/Win.Generic.C535472 (2022.11.22.03)
  • Trojan/Win.Generic.C5310136 (2022.11.21.01)
  • Infostealer/Win.Raccoon.C534410 (2022.11.21.02)
  •  Infostealer/Win.RedLine.C5155429 (2022.06.03.01)

[IOC Info]

  • 64c3f928790051534889f65f33a6edaf
  • 7e7f8d664dc17d08ae3084ec958070fa
  • d2cbf6c0a2a55a08aa5fbacad772d63d
  • 21f79006cf7560986de8ec8a60998894
  • 07abdccbf7b7884f98f962b169ae86c4
  • e125eb095b89b5cccc190ff727ae354d

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating

Inline Feedbacks
View all comments