Boleto Brazilian Banking Malware: WildFire Nails It!

A new family of malware has recently invaded the Boletos, the second most popular form of payment in Brazil after credit cards. Boletos essentially allow consumers to make electronic payments to merchants, pay bills, taxes, and more. The new massive boleto ring, named “Bolware” was first discovered by RSA.  

The new malware and the damage it caused to payment transaction in Brazil was covered by the New York Times and several other newspapers and security magazines.

We promptly tested this new malware with Wildfire. The verdict was unambiguous and the sample files were immediately flagged as malicious based on a long list of detected behaviors that we flag as abnormal (created and modified files, spawned new processes, modified Windows registries, injected code into another period, attempted to sleep for a long period and more). This is yet another great example of how important it is to have the right detection and security enforcement tools such as Wildfire deployed inline in your network.

Cloud-based threat analysis sandboxes that test suspicious files for malicious behavior in near real-time are state of the art today for zero-day threat detection. That said, threat detection by itself is far from enough to protect an enterprise against the high volume of attacks they are subject to on a daily basis. Once the threat is detected, you need to have the means to rapidly block it from spreading further, not just at the point where it was detected but also throughout your infrastructure. This is what we call a closed loop approach to threat protection.

A closed loop approach flags potentially malicious payload, analyzes the payload for malicious behavior, creates protections such as signatures, and distributes these to all points of traffic control and security enforcement in your infrastructure. Even better, these various steps can be fully automated so that there are no unnecessary delays or manual omissions introduced in the process. (Note that this is where the Target defenses failed. According to reports, Target received an alert that a breach had occurred, but no actions were taken).

A closed loop approach to threat protection is one of Palo Alto Networks core strengths: our firewall flags potentially suspicious payloads, then our threat cloud creates protection (signatures), which are sent back to the point of enforcement (the firewall) for immediate use and protection. With all security features natively embedded in the platform – firewall, IPS, IDS, url filtering, cloud based threat analysis -- our platform allows you to proactively and automatically prevent new threats from spreading further.

Companies can now protect themselves from zero day threats similar to Bolware but also prevent infection from any future variants of the malware. This has proven to work well for our customers in the past with malware families such as Cryptolocker or Zeus which have plagued the financial sector since 2011.

Bottom line, all Palo Alto Networks customers with active subscription to Wildfire should be automatically protected from Bolware. We also recommend they implement our recommended best practices for threat prevention coverage and mitigation.

Technical details on how to implement these are available to all on the Palo Alto Networks technical community in the recent Threat prevention deployment technical note, but here is a quick recap:

1. Reduce the attack surface by using our application identification technology (App-ID)  to block applications known as high risk. Unknown TCP and UDP traffic are good candidates.
2. Block all .exe files from being installed by employees outside of IT.
3. Use SSL Decryption for Webmail to prevent targeted attacks to personal email addresses. A single malicious PDF or Office document is all it takes to bring down an organization and bypass all your protection if you don't have visibility into SSL communications.
4. Use IPS signatures to prevent the vulnerability from being exploited by client-side attacks
5. Use Spyware/Command and Control prevention to find infected systems that may pull down additional variants.  Ensure DNS detection is enabled and in blocking mode!
6. Investigate and remediate ALL suspicious DNS queries. These are most likely infected systems!
7. Subscribe to our URL filtering feature to prevent threats from being downloaded from malicious domains.
8. Activate Wildfire to detect unknown and 0-day malware.
9. Find infected systems using our Botnet Report and also create a Sinkhole.
10. Apply tight control over software updates and prevent employees from downloading them from unofficial sources.