Written by: Valerie Rivera

  Background of the Attack

In a recent spam run, TrendLabsSM engineers came across samples of spammed messages using the right-to-left override (RLO) technique. The RLO technique, which was more commonly associated with spamming in the past, has now become a new social engineering tactic.


How do users get this Web threat?

It arrives via a spammed message with a .RAR file attachment. Extracting the compressed file reveals what appears to be an .XLS file. In reality, however, the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops a file detected as BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.


What happens once the threat gets inside computers?

Once users extract the compressed .RAR file on their systems, the extracted file detected by Trend Micro as TROJ_SASFIS.HBC is installed on the affected system. The said file appears to be an MS Excel file named as (phone&mail).[U 202e}crs.xls. Its real file name (minus the Chinese characters) is (phone&mail).[U 202e}slx.scr, wherein U 202e is the Unicode control character that tells the system to render succeeding characters from right to left. This technique is known as right-to-left override (RLO) technique.

Because of the RLO technique, users see an .XLS file instead. This could lead them to believe that the file is indeed an MS Excel file and thus “safe” to open, when in reality it is an executable .SCR file.


How are users affected by this threat?

Using the RLO technique, this Trojan is able to conceal its actual filename and disguise itself as a legitimate and seemingly harmless file, such as an .XLS or a .TXT file. For instance, it may use the filename I-LOVE-YOU-XOX[U 2020e]TXT.EXE and after applying RLO, the system renders its filename to be I-LOVE-YOU-XOXEXE.TXT.


What is the driving force for this threat?

SASFIS was created by cybercriminals to facilitate the propagation of other malware, particularly botnets such as ZBOT and Bredolab. It is part of an organized affiliate program wherein various underground organizations partner in to support their goal of scamming users and gaining profit in the process.

Using a new technique to propagate the malware could therefore lead to an increased number of infected users.


What is different in this attack?

Early this year, SASFIS variants became notorious in relation to spoofed email messages purportedly from Facebook. In the new spam run, cybercriminals use the RLO technique to deceive users into opening the malicious file. When users see a familiar file name extension such as .XLS, they would most likely think that the file is safe enough to open.


How do affected users remove this threat?

To remove TROJ_SASFIS.HBC from their systems, users may use the Trend Micro manual removal instructions. Users may also follow the manual removal instructions for BKDR_SASFIS.AC.


Are Trend Micro users protected from this threat?

Yes. Solutions supported by the Trend Micro™ Smart Protection Network™ block the spam used by this botnet to infect users via Email Reputation Technology. It can detect and prevent the execution of the malicious files detected as TROJ_SASFIS.HBC and BKDR_SASFIS.AC via File Reputation Technology.


What can users do to prevent this threat from entering computers?

Users are highly advised to follow safe online computing habits, such as scanning email message file attachments with security software, opening attachments only from known or expected sources, deleting all unwanted and suspicious messages without opening, and using security software and running real-time scan when surfing the Web.


Non-Trend Micro users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.