{
	"id": "104a6a93-5a39-4b59-9098-7180f3e34b2f",
	"created_at": "2026-04-06T00:20:14.584812Z",
	"updated_at": "2026-04-10T03:20:55.789191Z",
	"deleted_at": null,
	"sha1_hash": "11fe5130e0b7293a3cbf1c955d18999602a3d29b",
	"title": "The return of the BOM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 223336,
	"plain_text": "The return of the BOM\r\nBy GReAT\r\nPublished: 2019-03-28 · Archived: 2026-04-05 15:50:52 UTC\r\nThere’s nothing new in Brazilian cybercriminals trying out new ways to stay under the radar. It’s just that this time\r\naround the bad guys have started using a method that was reported in the wild years ago.\r\nRussian gangs used this technique to distribute malware capable of modifying the hosts file on Windows systems.\r\nPublished by McAfee in 2013, the UTF-8 BOM (Byte Order Mark) additional bytes helped these malicious crews\r\navoid detection.\r\nSince these campaigns depended on spear phishing to increase the victim count, the challenge was to fool email\r\nscanners and use a seemingly corrupted file that lands in the victim’s inbox.\r\nThe first indicator appears when the user tries to open the ZIP file with the default file explorer and sees the\r\nfollowing error:\r\nThe error message suggests the file is corrupt, but when we check its contents we see something strange in there.\r\nhttps://securelist.com/the-return-of-the-bom/90065/\r\nPage 1 of 5\n\nZip header prefixed by UTF-8 BOM\r\nInstead of having the normal ZIP header starting with the “PK” signature (0x504B), we have three extra bytes\r\n(0xEFBBBF) that represent the Byte Order Mark (BOM) usually found within UTF-8 text files. Some tools will\r\nnot recognize this file as being a ZIP archive format, but will instead recognize it as an UTF-8 text file and fail to\r\nextract the malicious payload.\r\nHowever, utilities such as WinRAR and 7-Zip ignore this data and extract the content correctly. Once the user\r\nextracts the file with any of these utilities they can execute it and infect the system.\r\nThe file is successfully extracted by WinRAR\r\nThe malicious executable acts as a loader for the main payload which is embedded in the resource section.\r\nResource table showing the resource containing the encrypted data\r\nhttps://securelist.com/the-return-of-the-bom/90065/\r\nPage 2 of 5\n\nEncrypted DLL stored in resource section\r\nThe content stored inside the resource, encrypted with a XOR-based algorithm, is commonly seen in different\r\nmalware samples from Brazil. The decrypted resource is a DLL that will load and execute the exported function\r\n“BICDAT”.\r\nCode used to load the extracted DLL and execute the exported function BICDAT\r\nThis library will then download a second stage payload which is a password-protected ZIP file and encrypted with\r\nthe same function as the embedded payload. After extracting all the files, the loader will then launch the main\r\nexecutable.\r\nhttps://securelist.com/the-return-of-the-bom/90065/\r\nPage 3 of 5\n\nCode executed by BICDAT function\r\nhttps://securelist.com/the-return-of-the-bom/90065/\r\nPage 4 of 5\n\nStrings related to Banking RAT malware\r\nThe final payload that’s delivered is a variant of a Banking RAT malware, which is currently widespread in Brazil\r\nand Chile.\r\nKaspersky Lab products can extract and analyze compressed ZIP files containing the Byte Order Mark without\r\nany problem.\r\nIndicators of compromise\r\n087b2d745bc21cb1ab7feb6d3284637d\r\n3f910715141a5bb01e082d7b940b3552\r\n60ce805287c359d58e9afd90c308fcc8\r\nc029b69a370e1f7b3145669f6e9399e5\r\nSource: https://securelist.com/the-return-of-the-bom/90065/\r\nhttps://securelist.com/the-return-of-the-bom/90065/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/the-return-of-the-bom/90065/"
	],
	"report_names": [
		"90065"
	],
	"threat_actors": [],
	"ts_created_at": 1775434814,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11fe5130e0b7293a3cbf1c955d18999602a3d29b.pdf",
		"text": "https://archive.orkl.eu/11fe5130e0b7293a3cbf1c955d18999602a3d29b.txt",
		"img": "https://archive.orkl.eu/11fe5130e0b7293a3cbf1c955d18999602a3d29b.jpg"
	}
}