A group of attackers are behind a strain of payment card malware that has bootkit functionality, something that makes it very difficult to detect, much less remove.
“FIN1,” the group behind the malware, appears to be based in Russia, according to researchers at both FireEye and Mandiant who described the group on Monday. The two firms uncovered the specialized malware this past September while carrying out an investigation at an unnamed financial organization.
FIN1 maintains a fairly comprehensive malware ecosystem – ‘Nemesis’ – a cornucopia of malware, backdoors, files, and utilities it uses to infiltrate systems and extract cardholder data, according to the researchers. Like most types of financial malware, Nemesis is replete with capabilities, including file transfer, a keylogger, screen capture, and process manipulation.
It wasn’t until the beginning of 2015 however that FIN1 tweaked Nemesis to include a utility the researchers refer to as BOOTRASH, which can modify an infected machine’s boot process.
“In early 2015, FIN1 updated their toolset to include a utility that modifies the legitimate system Volume Boot Record (VBR) and hijacks the system boot process to begin loading Nemesis components before the Windows operating system code,” the researchers wrote in a description of the malware Monday.
The Master Boot Record normally loads the VBR which loads the operating system code, but BOOTRASH mixes things up by loading Nemesis first, then the operating system. Since BOOTRASH is loaded outside the operating system, its not subject to integrity checks, nor are any components scanned by anti-virus, the researchers claim, helping it evade detection.
“This leaves live memory as the only location where the malware is likely to be detected; and unless the bootkit and VFS components are removed, the malware will execute and load every time the system starts,” the researchers claim.
According to Mandiant and FireEye FIN1 has demonstrated a penchant for stealing sensitive information from financial outfits in the past. In fact, when they observed the group’s activity at the financial organization, the researchers deduced the attackers’ activity at the organization dated back several years.
The name ‘Nemesis’ is referenced in a handful of build paths for the malware, ands elsewhere, language settings in some the malware’s custom tools suggest the attackers are either based in Russia, or a Russian-speaking country.
Given the stealthiness of BOOTRASH, researchers claim incident responders looking to verify whether certain machines are infected would need a special tool to access and search raw disk forensic images for evidence of bootkits.
As the researchers point out, malware that targets a MBR or VBR is different, but not unheard of. Researchers with RSA saw talk on a Russian forum of a Trojan called KINS in 2013 that could allegedly attack a machine’s volume boot record and give it machine-level access to victims.
That same year a new and souped up version of the Carberp Trojan was also making the rounds, complete with bootkit capabilities. While that functionality may not have been completely operational, attackers were allegedly still peddling versions of the malware for $40,000.