Threat Research

Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE) – ASEC BLOG

Securonix

Security researchers at ASEC analyzed malware distributed with Right-To-Left Override (RTLO) filenames, disguising executables as legitimate files such as solution files (.sln) and even porn videos. The threat uses process injection, loads additional payloads (Laplas Clipper and Redline Stealer), and notably alters cryptocurrency wallet addresses in the clipboard by downloading regex patterns from a site, with distribution occurring via GitHub and torrents.

Keypoints

  • The malware employs RTLO-based filename disguises to trick users into executing malicious files.
  • Disguises include running as .sln solution files and as icons imitating compressed archives, sometimes using pornographic video names.
  • GitHub and torrent distributions were observed, with many commits and files repurposed to host the malware disguised as legitimate content.
  • The loaders include Laplas Clipper and Redline Stealer, indicating cryptocurrency-related targeting and info-stealing capabilities.
  • The malware injects into a normal process to receive and execute additional payloads.
  • It downloads regular expressions from a site and uses clipboard data to replace cryptocurrency wallet addresses with attacker addresses.
  • AhnLab detects multiple related malware families and lists several IOCs (hashes, an IP, and a URL).

MITRE Techniques

  • [T1036] Masquerading – The malware uses RTLO-based filename disguises and is “disguised as solutions (.sln)” with an icon designed to imitate a compressed file.
  • [T1105] Ingress Tool Transfer – The malware “downloads the above regular expressions” from a website to map clipboard data to attacker addresses.
  • [T1115] Clipboard Data – The malware “examines the clipboard to find any data that can be mapped to the expressions. When such data is found, its value is changed to the attacker’s address.”
  • [T1055] Process Injection – The malware “injects itself to a normal process to receive and execute additional malware.”

Indicators of Compromise

  • [File Hash] – 64c3f928790051534889f65f33a6edaf, 7e7f8d664dc17d08ae3084ec958070fa
  • [IP Address] – 79.137.206.137
  • [URL] – 77.73.133.53/AmnesiaBone/LearnMedal.php

Read more: https://asec.ahnlab.com/en/43518/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint