Painting by Numbers

The MMPC came across an interesting piece of social engineering today that embeds a malicious script, which has been observed circulating on 4chan message boards. On further investigation, it became apparent that this is the next stage in the evolution of a threat known as 4chan.js that has been around since 2008. This scenario relies on a user's trust of image file formats and an unfamiliarity of the .HTA format (by the way, HTA stands for HTML Application).
The user is sent a .PNG file that looks similar to the following screenshots: 

The .PNG file stores the data in a compressed format that is quite innocuous. Did you notice the fuzz at the bottom of the images shown above? This is actually compressed data that is stored in the image.
The following is a screenshot of the .PNG file as seen in binary: 

An interested user may follow the instructions in the .PNG and save the file as a bitmap (.BMP) with the .HTA extension. On doing this, due to the properties of the .BMP format, the file is now decompressed. It is then revealed that the file contains an image, some JavaScript, and one or more executable files. The newly formatted file is seen in the screenshot below:

Now, because the file is saved with a .HTA extension, upon execution the bitmap information will be bypassed, and the embedded JavaScript will be run.
In this case, the end result of all of this social engineering is for the family to repackage itself, beat the CAPTCHA mechanism employed by 4Chan, and send itself to the 4Chan bulletin board. We detect the dropped JavaScript as Trojan:JS/Chafpin.gen!A. We have now seen three versions of this trojan as the malware authors develop their methods. In the third method we saw, the bitmap was created with random variables each time it was run. Worth noting is that 4Chan are taking steps to prevent user infection by closing affected threads.
What is interesting about this file is the method of social engineering that the malware authors have employed. They are expecting the user to follow the instructions purely out of interest, to see what will happen. Most users are likely to trust an image format and might not realize that the same image file can contain an embedded malicious script.
Here at the MMPC we suggest that you do not follow the instructions of random pictures that you see, especially if the instructions involve altering the file in any way, and then running it. In fact, we would suggest just not running random .HTA files at all.
- Michael Johnson
MMPC Melbourne

Note: Analysed file details are as follows:
- .BMP SHA1 84c2689196903adb8bb3b904797754f6cbfe3b04
- .PNG SHA1 d0d8b26e9063a04f6d02efe429e31df7f0e10f65
- Dropped file SHA1 3b1b80b7a053d388a82a92eb590026e42f202280 

Comments (0)

Skip to main content