SASFIS Malware Uses a New Trick

Early this year, the SASFIS Trojan became notorious in relation to spoofed email messages supposedly from Facebook. SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from ZeuS and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.
TrendLabsSM engineer Shih-Hao Weng came across a new SASFIS variant that uses the right-to-left override (RLO) technique, which was more commonly associated with spamming in the past, but has now become a new social engineering tactic.

This SASFIS Trojan arrives via a spammed message with a .RAR file attachment, which contains an .XLS file. Upon extraction to the desktop, the supposed .XLS file looks like an authentic MS Excel document. In reality, however, the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.
While the file may appear at first to be an Excel worksheet, it possesses a Win32 binary header, which only executable files have. Its real file name (minus the Chinese characters) is phone&mail).FWS.BAT and I-LOVE-YOU-XOXTXT.EXE to be rendered as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT instead. In the former case, a batch file is disguised as an Adobe Flash file; in the latter an (continue reading...)