The exploit, named “Unitrix” by Avast, misuses features in Unicode, the computer industry’s standard for representing text, to mask executable malware as 'safe' files with .doc or .jpg extensions.
The Unicode feature is designed to display alphabets written in a right-to-left schema, such as Arabic or Hebrew, and flips the displayed text after special hidden codes such as 0x202E (right-to-left override) are added to the file name, explained Avast. For example, the executable malware file ending with “gpj.exe” is displayed to the recipient as the more innocent sounding “photo_D18727_Collexe.jpg”.
“The typical user just looks at the extension at the very end of the file name; for example, jpg for a photo. And that is where the danger is. The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file”, said Jindrich Kubec, head of the AVAST Virus Lab.
The AVAST Virus Lab tracked an increase in the number of detections of the exploit during August, with a daily peak of over 25,000. The attacks are almost exclusively made during the working week, with daily detections dropping below 5,000 on the weekend, suggesting that they are targeted at businesses.
The most common Unitrix file is a malware downloader with connections to several URL addresses, which then act as command-and-control centers. “Based on our analysis of over fifty samples, it appears to be part of a pay-per-install network with the capacity to send infected users a variety of malware,” explained Kubec.
In a blog, Lyle Frink of AVAST provided more detail aobut how the malware works: “We’ve titled this malware W32:Fivfrom. It’s a malware downloader which, after activation, connects to several distribution centers to download and install malware to the infected computer. We analyzed over fifty separate files, all of which initially looked quite different. But when we looked inside, we found some similar patterns. All files were packed with UPX, and then there was a polymorphic loader which generated the final exe file. This means the malware contained two layers of protection – UPX as the first layer and a polymorphic loader for the second layer.”