The document details the 'onyx' variant of boleto malware, which targets Brazilian victims by redirecting payments through the modification of boleto information. Unlike its predecessor 'eupuds', this variant uses browser extensions for Chrome and Firefox or the COM interface for Internet Explorer to facilitate its fraud. It provides an executive summary, various comparisons to other malware types, installation and communication mechanisms, and recommendations for countering such attacks.

1. BOLWARE – “ONYX” VARIANT
December 2014
RSA®
Research Group

2. Page 2
TABLE OF CONTENTS
Executive Summary .......................................................................................................... 3
Comparison ..................................................................................................................... 5
Malware Installation, Protective Mechanisms and Persistency Techniques ................................. 5
Communication and Network Behavior................................................................................. 7
Barcode Replacement........................................................................................................ 9
Command andControl Server Infrastructure ........................................................................10
Retrieved Data Statistics...................................................................................................11
Countermeasures ............................................................................................................13
Recommended User Vigilance............................................................................................14
Authors ..........................................................................................................................15

3. Page 3
EXECUTIVE SUMMARY
As mentioned in the previous report published by RSA (https://blogs.rsa.com/rsa-uncovers-
boleto-fraud-ring-brazil/), Boleto malware is a fraud operation and financial threat that has
appeared in recent years in Brazil. The malware family known as "Eupuds" by some AV engines
has attacked thousands of victims, causing serious losses to both the banking system and its
customers.
These losses are caused not only by the "Eupuds" family, but by other types of the Boleto
malware as well.
This report contains information about a different family of Boleto malware, known as "Onyx". The
basic idea is the same: replace Boleto information in order to redirect the payments from the
victim. However, unlike "Eupuds" which injects malicious code into the different web browsers
(Chrome, Firefox and Internet Explorer (IE)) memory during runtime, this kind of malware uses
other mechanisms to infect the victim's machine, depending on the targeted web browser.
If the target browser is either Chrome or Firefox, the malware will be installed as an extension
and will execute its javascript code.
On the other hand, if the target is Microsoft’s Internet Explorer®, the malware will change the
Boleto information by using the COM (Component Object Model) interface with the browser.
Other differences are that "Eupuds" malware family modifies the Boleto bank code and this family
variant does not. The first one invalidates the Boleto barcode by adding HTML comments between
the black and white bar images that represent the barcode and the latter either downloads a full
barcode image from a malicious server or tries to compose a new barcode with black and white
bars.
The altered Boleto will look like this:

4. Page 4
Dozens of samples of this family have been found and they are at different levels of development.
Their features vary among the samples and they point to different Command and Control (C&C)
servers. However, all of them have the same communication protocol with the servers, which
indicates that these samples are likely to refer to malware which is still under development.
In this report we will list the most important features of this malware family and will analyze one
of the C&C servers.
Figure 1
Altered Boleto

5. Page 5
COMPARISON
Bolware
“Ruby”
(aka
Eupuds)
Bolware
“Onyx”
Bank
Code
Replace
Do
not
Replace
Typeable
Line
Replace
Replace
Barcode
Do
not
Replace
Replace
(some
versions
put
an
extra
one
at
the
bottom)
Protocol
XML
Obfuscated
with
a
XOR
key
over
HTTP
Plain
text
over
HTTP
Server
Centralized
dedicated
server
(multiple
IPs
on
the
same
server)
Multiple
servers
(hacked
websites)
C&C
PHP
+
MySQL
PHP
+
Plain
Text
Storage
Dataflow
Affected
On
Generation
(on
GET
response)
and
on
Submission
(on
POST
requests)
On
Generation
(on
GET
response)
User
Credentials
Targeted
Live.com
Do
not
Support
Infection
Mechanism
CreateRemoteThread()
on
process
Chrome
/
Firefox
-­‐
Browser
Extension
and
IE
-­‐
COM
Interface
Affected
Browsers
Chrome
/
Firefox
/
IE
Chrome
/
Firefox
/
IE
Affected
OS
Windows
Windows,
however
the
extension
works
also
for
MAC
OS
and
LINUX
MALWARE INSTALLATION, PROTECTIVE MECHANISMS AND
PERSISTENCY TECHNIQUES
The installation process depends on the targeted browser. The malware is installed as an
extension and pretends to be Flash Player in Chrome and Firefox:

6. Page 6
The same extension used as a payload by the malware can infect Linux and Mac OS, since it’s
written in JavaScript using the browser's API, but no malware was identified that was able to
deploy this payload in different platforms.
Once properly installed in the victim's browser, the malicious extension will search and replace
Boleto related information (typeable line and barcode) in order to redirect payments.
In Chrome, the manifest.json extension configuration file points to a background page called
"popup.html" (with permissions to monitor tabs, all URLs, navigation and requests), which will
execute a javascript called "popup.js". This javascript uses Chrome APIs to do the fraud:
chrome.webRequest.onCompleted.addListener(...)
Where:
• chrome.webRequest is the API to observe and analyze traffic and to intercept
and modify requests in-flight
• onCompleted fires when a request has been processed successfully
• addListener is used to register an event listener for a web request
The API takes a callback and some filters as arguments. The callback calls a javascript called
"getPagesSource.js", which will:
• retrieve the DOM object from the page and convert it to string
• use regular expressions to search for Boleto information in the page opened by
the browser
• retrieve the fake typeable line from the C&C server
• replace the typeable line
• calculate and replace the barcode
• send information back to the C&C server (browser, original typeable line,
modified typeable line, value, due data and URL)
Figure 2
Fake Chrome extension
Figure 3
Fake Firefox extension

7. Page 7
In Firefox, the process is almost the same. The "install.rdf" extension configuration file contains
information to install the malware as a plugin and the file "stylebar.xul" will point to a javascript
called "stylebar.js" that will perform the same logic that "getPagesSource.js" does.
On the other hand if the IE browser is running:
• Initialize the COM interface
• Search for iexplore.exe process
• Retrieve a Boleto number from the server
• Connect to IE and retrieve the existing page
• Replace the Boleto number and barcode
• Notify the C&C server what was the original Boleto and the new one
Example of code in Delphi that uses the COM interface to retrieve an HTML page from the
browser:
"""
uses
ShDocVw_Tlb;
//
or
ShDocVw
if
Doc
=
Nil
then
exit;
if
Doc.body
=
Nil
then
exit;
var
i:
Integer;
Browser:
IWebBrowser2;
ShellWindows:
IShellWindows;
Doc
:
IHtmlDocument2;
ShellWindows
:=
CoShellWindows.Create;
for
i
:=
0
to
ShellWindows.Count
-­‐
1
do
if
Supports(ShellWindows.Item(i),
IWebBrowser2,
Browser)
then
begin
//
do
something
with
Browser
instance,
e.g
compare
the
Url
you're
//
expecting
with
Browser.LocationUrl
//
if
it
is,
then
you
can
get
at
the
Html
by
something
like
Browser.Document.QueryInterface(IHtmlDocument2,
Doc);
if
(Doc
<>
Nil)
and
(Doc.Body
<>
Nil)
then
//
access
any
of
the
Doc's
properties,
e.g.
InnerHtml
end;
"""
COMMUNICATION AND NETWORK BEHAVIOR
After the malware infects the browser, it starts the communication with the C&C server through
HTTP messages. The first message is a notification that is sent by the malware to the server as
soon as the malware gets active. This is done by sending a GET to "notify.php":

8. Page 8
After the notification is sent, a text file is created on the victim's machine in order to prevent
multiple notifications for the same victim.
The subsequent messages will occur when the malware detects a Boleto operation in the browser
and their purpose is to replace the Boleto information (typeable line and barcode) to redirect
payments.
First, the malware will request the typeable line to replace, by sending a GET to
"boleto.php?LETO":
After that, the malware sends some information about the Boleto to the server, by sending a
POST to "boleto.php":
Figure 4
Notification message
Figure 5
Typeable line request
Figure 6
Transaction information

9. Page 9
Where:
O=<original typeable line>
N=<new typeable line>
V=<value>
P=<due date>
U=<url>
Z=<browser>
BARCODE REPLACEMENT
As well as the "Eupuds" type, this family also replaces the Boleto barcode.
Some samples submit the modified typeable line to the malicious server in order to retrieve the
corresponding barcode (as an image) to replace it in the original Boleto
On the other hand, some of the samples simply download a fake and fixed barcode (as an image)
so that the victim will be forced to use the modified typeable line to do the payment:
Figure 7
Replacement by a
corresponding barcode

10. Page 10
Some samples search for strings like "autenticacao mecanica" (which means "mechanical
authentication" in Portuguese, it is where the barcode is usually located) and its variations (capital
letters and accents in the words) in order to search and replace the barcode in the Boleto
document.
C&C SERVER INFRASTRUCTURE
The server side control panel is very simple and allows the botmaster access to manage the
botnet and review compromised data. The malware has the information publicly accessible
through links in the C&C server.
Latest transaction activities (latest Boleto changes) can be accessed by sending a GET to
"boleto.php?123" to the server, which reveals information like date, time, browser, original
typeable line, modified typeable line, value, due data and URL:
Figure 8
Replacement by a fixed
barcode
Figure 9
Latest Boleto changes

11. Page 11
On the other hand, latest victim's information can be accessed by sending a GET to
"visualizador.php?ver", which gives back a UI to see the recently infected victims (date, IP
address, hostname and HTTP referrer):
The data seems to be removed from time to time, allowing only a partial view of the data on the
server corresponding to a period of time.
RETRIEVED DATA STATISTICS
The data retrieved from the server reveals interesting information about this family of the “Boleto”
malware and its victims.
Following are the infected browsers:
Figure 10
Latest infection information

12. Page 12
As well as the "Eupuds" variant, this family also targets the Brazilian market (citizens and
companies). Most of the victims are Brazilian residents, however Brazilian citizens who live abroad
were infected as well. All of them are able to generate a “Boleto” online and pay it through the
Brazilian online banking system.
Figure 11
Infected browsers
Figure 12
Infection by country

13. Page 13
As shown in the map below, the malware is nationwide distributed, but it’s concentrated in the
high populated areas. The infection map looks very similar to the "Eupuds" malware distribution:
During this period the total number of victims infected by this C&C was 3,072.
The following diagram displays the daily malware activity (number of infected transactions) of one
of the C&C servers during the last month (period from August 5th until September 1st):
It is important to mention that these values and statistics refer to only one C&C server. A total
number of 50 samples and 16 C&C servers have been monitored during the latest 2 months
by RSA researchers, so the malware activity involved in this fraud is likely to exceed the period
mentioned in this report.
COUNTERMEASURES
RSA FraudAction Service™ can help with shutting down Boleto infection points in the wild and
blacklisting Boleto IDs. FraudAction provides a blacklist feed of all altered Boleto ID numbers by
the Boleto malware. As fraudsters feed new Boleto IDs into the malware, FraudAction service
updates the blacklist feed. The altered fraudulent Boletos contain information that the banks can
use to proactively block further payment of such Boleto and to track the account that received the
fraudulent payment and prevent further payments to this account and cashing out.
Figure 13
Infection in Brazil
Figure 14
Activity by day

14. Page 14
RSA®
Security Analytics can help only if the Boleto malware is on employee machines and not
customers.
RSA Security Analytics is designed to monitor all the communication to/from the organization to
the Boleto malware C&C server, and can spot fraudulent activities by using Boleto IOCs that are in
the RSA Live feed. The feed will be updated as needed, providing threat intelligence to
organizations experiencing possible Boleto malware infection.
RSA LIVE feed info regarding Boleto fraud is as follows:
• Feed: RSA FirstWatch Command and Control IPs
o Pivot: threat.desc = c2-ip-bolware
• Feed: RSA FirstWatch Command and Control Domains
o Pivot: threat.desc = c2-domain-bolware
RSA®
ECAT is engineered to help only if the Boleto malware is on employee machines and not
customers.
RSA ECAT can detect the presence of Boleto malware on end user/employee devices based on the
Boleto malware IOCs.
RECOMMENDED USER VIGILANCE
1. Double check the Boleto ID, using the following information that could help in detecting
a fraudulent Boleto:
• Compare the first 4 digits with previous Boletos from the same issuing company:
these digits identify the destination Bank, and they will usually be the same every
month.
• For a given issuing company (e.g., a credit card bill or a Boleto from the kids’
school), compare the first half of Boleto digits (usually the first 21 digits) with
previous payments from the same company, since these digits identify the payee’s
destination account. These digits are usually the same from accounts that the user
paid in previous months.
2. Avoid accessing websites that propose to generate new Boletos out of overdue Boletos.
Please check with your bank the best process to pay an overdue Boleto.
3. Try using the Authorized Direct Debit (DDA) method as much as possible to replace the
traditional Boleto payment method.
4. Never trust emails that you aren't expecting, don’t click on any suspicious links.
5. Be wary of websites which are requesting information that they don’t need.
6. Download and install software patches periodically from reliable sources (preferably ask
the software to update itself).
7. Install Anti-Virus software from a reliable source, verify it’s enabled and update it
periodically. According to Microsoft®
, customers using Windows Security Essentials®
are
protected from this malware.
8. Scan your PC with Anti-Malware software on a constant basis.

15. Page 15
AUTHORS
Jonathan Zkez
James Winston
Content and liability disclaimer
This Research Paper is for general information purposes only, and should not be used as a
substitute for consultation with professional advisors. EMC has exercised reasonable care in the
collecting, processing, and reporting of this information but has not independently verified,
validated, or audited the data to verify the accuracy or completeness of the information. EMC
shall not be responsible for any errors or omissions contained on this Research Paper, and
reserves the right to make changes anytime without notice. Mention of non-EMC products or
services is provided for informational purposes only and constitutes neither an endorsement nor a
recommendation by EMC. All EMC and third-party information provided in this Research Paper is
provided on an "as is" basis.
EMC DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, WITH REGARD TO ANY
INFORMATION (INCLUDING ANY SOFTWARE, PRODUCTS, OR SERVICES) PROVIDED IN THIS
RESEARCH PAPER, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the
exclusion of implied warranties, so the above exclusion may not apply to you.
In no event shall EMC be liable for any damages whatsoever, and in particular EMC shall not be
liable for direct, special, indirect, consequential, or incidental damages, or damages for lost
profits, loss of revenue or loss of use, cost of replacement goods, loss or damage to data arising
out of the use or inability to use any EMC website, any EMC product or service. This includes
damages arising from use of or in reliance on the documents or information present on this
Research Paper, even if EMC has been advised of the possibility of such damages

16. www.rsa.com
ABOUT RSA
RSA’s Intelligence Driven Security solutions help organizations reduce the
risks of operating in a digital world. Through visibility, analysis, and
action, RSA solutions give customers the ability to detect, investigate and
respond to advanced threats; confirm and manage identities; and
ultimately, prevent IP theft, fraud and cybercrime. For more information
on RSA, please visit www.rsa.com.
EMC2
, EMC, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the
United States and other countries. All other trademarks used herein are the property of their respective
owners. ©2014 EMC Corporation. All rights reserved. Published in the USA.
H13742