Payloads are slipped into the system without alerting defense mechanisms

Aug 14, 2014 17:23 GMT  ·  By

Security researchers found evidence that the cybercriminal rings operating Boleto malware families adopted techniques used in Zeus Trojan for bypassing security solutions such as firewalls and web-filters.

It appears that these crooks cooperate on underground forums with their counterparts in Europe, those involved with Zeus Trojan in particular.

According to security experts from Kaspersky Lab, one of the newest tricks integrated by Boleto malware for increasing the rate of infections is to rely on non-executable payloads, which are actually portable executable (PE) files encrypted (XORed with a 32-bit key) and compressed using the ZLIB library.

They say that GameOver Zeus relied on a similar technique back when it was in its prime, and it used the ENC extension for the payloads. In the case of Boleto, the malware authors applied the BCK and JMP file type extension.

By masking the true nature of the payloads, the threat actors can bypass several types of defenses, like firewalls, web filters or network intrusion detection systems. The method works by infecting computers with a Trojan that downloads the encrypted data and then decrypts it into the malware that perpetrates the fraud.

“The criminals tend to encrypt the big payload files using this technique, as well as some removal tools such as Partizan and big Delphi Trojan bankers that include images of Internet banking pages. The aim is always to encrypt the payload and make it undetectable, so that it's not recognized as a normal portable executable,” writes Fabio Assolini in a blog post.