An Undocumented Function in LNK Shortcut File Type, is Employed by Janicab, a Trojan that Infects Windows and Mac Systems alike, to Pass Command Line Arguments that Aren't Visible to Windows’s File Manager.
Janicab has been around for about 2 Years and it Relies on Python and VBScripts to Infect Machines Running the 2 Operating Systems. Its Infection Method has been Deemed at the Time as being Quite Interesting. The Malware Used 'THE RLO' (Right-to-Left Override) Technique, which Resorts to a Special Unicode Character for Languages, Where Text is Written Right to Left. It Can be Inserted Anywhere in a Text String, Marking the Beginning of the Reversed Writing.
This Method is Used in Files with a Double Extension, to Make them Appear as Harmless DOC or PDF Data, When in Fact they're Executables.
Janicab’s Covert Actions also include Getting the Addresses for the Command and Control (C&C) Servers from 3rd-Party Online Sources, such as Comments Left for Different YouTube Videos.
The IPs are Obfuscated via an Algorithm that Translates seemingly Random Numbers that Have the Pattern “our (.*)th psy anniversary” into the Appropriate Addresses. This Tactic has been Noted in Previous Versions of the Malware. Security Researchers at F-Secure, Discovered that, a Variant of Janicab for Windows, Delivered as a LNK File includes Invisible Shell Commands Enumerated in a String Using the “&-” Operator.
In the Example Provided by the Researchers, the Malware Tries to Pass as a Shortcut for a JPG Image but, the Target Location Points to Command Prompt (cmd.exe), Where the Malicious Commands are Executed.
A Malicious Script Encoded with Microsoft Script Encoder, is Appended at the End of the LNK File; it Contains the Instructions for Dropping Decoy Files, in Order to Quash Suspicions When the User Launches the Shortcut.
The Evolution of Janicab is also Marked by the Use of “snapIt.exe”, an Application Designed for Capturing Desktop Screenshots.
Additionally, the Variant Found by F-Secure Integrates Anti-Analysis Routines that, Check if the Malware is Run in a Virtual Machine (VirtualBox, Parallels and VMware) or a System Intended for Analyzing Threats by Verifying the Presence of Processes Belonging to Process Managers, Network Analyzers, Debugging and Startup Tools.
Info Source:
https://www.f-secure.com/weblog/archives/00002803.html
_Robot_Glove_Pics_1.jpg)
.jpg)
0 comentários:
Enviar um comentário