'Invoice' spammers pervert RTF files to hide malware

Spammers have perfected the art of subverting Microsoft's popular rich text format [RTF] document files to evade malware detection, Cisco's Talos security engineering group has found.

Talos analysed an email spam campaign that aims to distribute the Loki Bot password stealer, and found that the attachment carrying the malware was only detected by three out 45 scanning engines at Google's VirusTotal service.

The malware is currently being sent to millions of users around the world, with most of the emails containing a fake invoice attachment, an RTF file.

Although the RTF file contains an old exploit from 2012 that takes advantage of Microsoft's object linking and embedding (OLE) technology to carry malware that's executed when users open the email attachment, it is succesfully evading security software.

The attackers have "gone out of their way" to alter the RTF file with several modifications and make it more difficult for scanning engines to analyse it. 

This includes removing the correct RTF header in the file, and replacing it with one from a portable network graphics (PNG) image.

Several other malformations are added, including random ASCII and hexadecimal characters which are ignored by Microsoft applications, but deceive file scanning security software.

Talos said the malicious RTF files drop a Windows binary onto users' computers and execute it.

The binary contains the Loki Bot password stealer, and attempts to contact its control and command domain paneltestghelp.xyz.

Talos did not say who it believes is behind the malware distribution campaign; the C&C domain is registered with a Florida, United States address and is currently active on a server connected to a network in Panama.