Malware Goes Invisible

Friday, April 24, 2015 @ 02:04 PM gHale


A Trojan called Janicab uses an undocumented function in LNK shortcut file type to infect Windows and Mac systems so it can pass command line arguments not visible to Windows’s file manager.

Janicab, in existence since 2013, relies on Python and VBScripts to infect machines.

RELATED STORIES
New Ransomware Hits the Street
Destructive Hacks Growing
BYOD, Cloud Security Risk Growing
DDoS Attacks Less Frequent, More Complex

The malware used THE RLO (right-to-left override) technique, which resorts to a special Unicode character for languages where text goes from right to left. It can end up inserted anywhere in a text string, marking the beginning of the reversed writing.

This method goes in files with a double extension to make them appear as harmless DOC or PDF data, when in fact they are executables.

Janicab’s covert actions also include getting the addresses for the command and control (C&C) servers from third-party online sources.

The IPs end up obfuscated via an algorithm that translates seemingly random numbers that have the pattern “our (.*)th psy anniversary” into the appropriate addresses. This tactic was in previous versions of the malware.

A variant of Janicab for Windows delivered as a LNK file includes invisible shell commands enumerated in a string using the “&-” operator, said researchers at F-Secure in a blog post.

In one case, the malware tries to pass as a shortcut for a JPG image, but the target location points to Command Prompt (cmd.exe), where the malicious commands end up executed, the researchers said.

A malicious script encoded with Microsoft Script Encoder appends at the end of the LNK file; it contains the instructions for dropping decoy files in order to quash suspicions when the user launches the shortcut.

The evolution of Janicab also ends up shown by the use of “snapIt.exe,” an application designed for capturing desktop screenshots.

The variant integrates anti-analysis routines that check if the malware is running in a virtual machine (VirtualBox, Parallels and VMware) or a system intended for analyzing threats by verifying the presence of processes belonging to process managers, network analyzers, debugging and startup tools, F-Secure researchers said.



Leave a Reply

You must be logged in to post a comment.