INCA Internet response team detected that malicious files called as Zeus Bot(Zbot) are spreading as a Wire Transfer cancellation mail. Zeus and Spyeye targeting for online banking have been found frequently. And they are categorized as one of cyber threats malicious files. Especially, this malicious file uses modulated Unicode extension exploit to induce users as normal PDF file. Therefore, users need to be careful on using this malicious file.
[Caution] Detected malicious files disguised as online hotel reservation
2. Spreading cases
This malicious file is sent to anonymous users as a cancellation notice of Wire Transfer.
Its title and the body of the message consisted of cancellation notice of Wire Transfer and induce to download its attachment (Report.zip).
WinZip v8.1 an old version can't extract this file.
WinZip v16.0 can extract this file, however; PDF file shows its Type as executable program.
So, if user checked 'Do not show hidden files and folders' of Hidden files and folders in Folder Options, executable file will hide its extension.
Report.zip contains .exe file by its code. Besides, to hide its extension, it uses Unicode Character 'RIGHT-TO-LEFT OVERRIDE' (U+202E).
Here's detail of Hex Code(E2 80 AE).
This technique is used for APT including various issues. At that time, the name of the file was NKorea demands its own probe into ship sinking.RAR, and after extracting .DOC file was created(Actually this file was malicious .SCR )
This malicious file, modified by Unicode modulation, has .exe and has wrong spell from PDF to FDP.
Except this case, various modulated cases have been found.
Changing extension technique from EXE, SCR, or COM to TXT, PDF, DOC, XLS, or HWP have been found in these years.
This technique can be used for APT. Besides, including executable files on e-mail must be suspicious from being infected by malicious files. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.