The discovery, by Kaspersky Lab researcher Dmitry Bestuzhev is the first known report of block ciphers being used in connection with banking malware in that region.
The Kaspersky Lab expert came across the group of files, which he identified as Trojan-Banker.Win32.Delf.vh, while analyzing some suspicious and potentially malicious links from Brazil. The files contained encrypted malware, and after some analysis, Bestuzhev determined he was dealing with a block cipher.
Block ciphers are a method of encrypting data in which fixed-length groups of bits are used, in combination with a symmetric encryption key, to encrypt and then decrypt data. When used to encrypt the contents of malware executables, block ciphers can cause malware detection and analysis systems not to work properly. Block-cipher encrypted malicious links, for example, can be downloaded and analyzed, but not detected as malicious. If that happens enough, the malicious links can even become whitelisted – exempt from further checks altogether.
Furthermore, administrators of the sites on which these malicious files are being hosted won’t be able to identify them as such, and as a result, the files will remain there, untouched, prolonging the danger they pose, Bestuzhev warned.
According to Bestuzhev, the creators of the Delf banking Trojan update mirror sites with new versions of the malware every couple of days, altering the encryption algorithm they use ever few versions to complicate detection even more. Read more about the Brazilian banking trojan that uses block cipher encryption on Securelist.