Cyber-cons have a new way of wreaking havoc. Hackers have
found another unique way to bypass security. Reportedly the infamous BOM
technique’s to blame.
The “Byte Order Mark” technique goes about altering the host’s
files on the windows system.
The major superpower of the BOM is helping the threat actor
group to be under the line of display or detection.
The researchers from a very widely known anti-virus firm
noticed a new campaign that majorly worked on spear phishing.
The spear phishing process would help to deliver the infected
files to the victim’s system.
The moment the user attempts to open the ZIP file using
their default browser, it all crashes and an error sign pops up, saying.
According to the researchers, the legit ZIP files start with
“PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found
within UTF-8 text files.
In some systems the ZIP archive format goes undetected but
in some systems it’s recognized as a UTF-8 text file and the malicious payload
isn’t extracted.
The same files on the other hand could be opened via
third-party functions to name a few 7-Zip & WinRAR.
Once the extraction of the file is done, the malware is
executed thence beginning the infection process.
Systems using third party utilities are more susceptible to
such malware attacks than the rest.
The malicious executable is just a tool to help load the
main payload inserted within the main source section.
The malware originates from a DDL along with a
BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of
payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using
similar functions as the inserted payload.
After having extracted the necessary files the last
and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes,
dates of birth, account passwords, electronic signature, e-banking passwords
and etc from the system.
