found another unique way to bypass security. Reportedly the infamous BOM
technique’s to blame.
files on the windows system.
group to be under the line of display or detection.
noticed a new campaign that majorly worked on spear phishing.
files to the victim’s system.
their default browser, it all crashes and an error sign pops up, saying.
“PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found
within UTF-8 text files.
in some systems it’s recognized as a UTF-8 text file and the malicious payload
third-party functions to name a few 7-Zip & WinRAR.
executed thence beginning the infection process.
such malware attacks than the rest.
The malicious executable is just a tool to help load the
main payload inserted within the main source section.
The malware originates from a DDL along with a
BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of
payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using
similar functions as the inserted payload.
After having extracted the necessary files the last
and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes,
dates of birth, account passwords, electronic signature, e-banking passwords
and etc from the system.