The return of the BOM

[harlan4096]

There’s nothing new in Brazilian cybercriminals trying out new ways to stay under the radar. It’s just that this time around the bad guys have started using a method that was reported in the wild years ago.

Russian gangs used this technique to distribute malware capable of modifying the hosts file on Windows systems. Published by McAfee in 2013, the UTF-8 BOM (Byte Order Mark) additional bytes helped these malicious crews avoid detection.

Since these campaigns depended on spear phishing to increase the victim count, the challenge was to fool email scanners and use a seemingly corrupted file that lands in the victim’s inbox.

The first indicator appears when the user tries to open the ZIP file with the default file explorer and sees the following error.

The error message suggests the file is corrupt, but when we check its contents we see something strange in there.

Instead of having the normal ZIP header starting with the “PK” signature (0x504B), we have three extra bytes (0xEFBBBF) that represent the Byte Order Mark (BOM) usually found within UTF-8 text files. Some tools will not recognize this file as being a ZIP archive format, but will instead recognize it as an UTF-8 text file and fail to extract the malicious payload.

However, utilities such as WinRAR and 7-Zip ignore this data and extract the content correctly. Once the user extracts the file with any of these utilities they can execute it and infect the system.

Continue Reading