Cyber-cons have a new way of wreaking havoc. Hackers have found another unique way to bypass security. Reportedly the infamous BOM technique’s to blame.
The “Byte Order Mark” technique goes about altering the host’s files on the windows system.
The major superpower of the BOM is helping the threat actor group to be under the line of display or detection.
The researchers from a very widely known anti-virus firm noticed a new campaign that majorly worked on spear phishing.
The spear phishing process would help to deliver the infected files to the victim’s system.
The moment the user attempts to open the ZIP file using their default browser, it all crashes and an error sign pops up, saying.
According to the researchers, the legit ZIP files start with “PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found within UTF-8 text files.
In some systems the ZIP archive format goes undetected but in some systems it’s recognized as a UTF-8 text file and the malicious payload isn’t extracted.
The same files on the other hand could be opened via third-party functions to name a few 7-Zip & WinRAR.
Once the extraction of the file is done, the malware is executed thence beginning the infection process.
Systems using third party utilities are more susceptible to such malware attacks than the rest.
The malicious executable is just a tool to help load the main payload inserted within the main source section.
The malware originates from a DDL along with a BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using similar functions as the inserted payload.
After having extracted the necessary files the last and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes, dates of birth, account passwords, electronic signature, e-banking passwords and etc from the system.
To read the original article: