Security Experts:

Russian Hackers Using Bootkit to Steal Payment Data

"FIN1" Attackers Use Hard to Detect BOOTRASH Malware to Steal Financial Data

Incident responders from FireEye’s Mandiant group have discovered new tactics being used by cybercriminals to steal payment card data using highly sophisticated malware that hijacks the system boot process and executes before the operating system (OS) loads.

Using the advanced "bootkit" malware that infects lower-level system components, the threat group known as “FIN1” by FireEye is believed to have Russian roots and was witnessed using the malware to compromise a target victim and steal cardholder data.

The longest running cybercrime group tracked by FireEye, FIN1 is known for stealing data from financial services organizations such as banks, credit unions, ATM operations, and other financial transaction service companies.

FireEye said that FIN1 traditionally deploys various forms of malware and attack tools under a “malware ecosystem” known as ‘Nemesis’ by the developer(s).

Difficult to identify and detect, FireEye said it first discovered the new bootkit activity during a recent investigation at a customer involved in financial transaction processing. 

“In early 2015, FIN1 updated their toolset to include a utility that modifies the legitimate system Volume Boot Record (VBR) and hijacks the system boot process to begin loading Nemesis components before the Windows operating system code. We refer to this utility as BOOTRASH,” FireEye explained in a report published Dec 7.

While FireEye did not provide many details on the attack itself, or suggest how many targets may have been hit with the malware, the security firm did provide some technical details on the bootkit malware used by FIN1.

Prior to installation, the BOOTRASH installer, which is capable of deploying 32-bit or 64-bit versions of Nemesis components, gathers statistics about the system, including the operating system version and architecture.

The installer will install the bootkit on any hard disk that has a MBR boot partition, FireEye said, noting that if the partition uses the GUID Partition Table disk architecture, as opposed to the MBR partitioning scheme, the malware installation process will stop.

The malware also checks to see if a copy of BOOTRASH is already running on the system and checks to see if the Microsoft .NET 3.5 framework is installed, which is required for the malware to run. If the BOOTRASH installer is already running or the appropriate.NET framework is not installed, the malware will quit, FireEye said.

Interestingly, BOOTRASH also has the capability of restoring the original boot sector in the event that the attackers want to remove the hijacking process. However, FireEye said the feature only restores the original boot sector and does not remove a custom virtual file system or the backup VBR created by BOOTRASH.

Along with the details of the BOOTRASH malware, FireEye published a list of MD5 hashes associated with the threat, none of which SecurityWeek was able to locate the presence of in VirusTotal at the time of publishing.  

“Bootkits, such as BOOTRASH, are very difficult to detect because they have the potential to be installed and executed almost completely outside of the Windows operating system,” FireEye explained. “Because the malicious boot loader executes before Windows itself is fully loaded, it is not subject to typical operating system integrity checks.”

Because malicious components used to inject the malware are stored in a VFS outside the Windows file system, they are not scanned by anti-virus software, FireEye said.

“As a result, incident responders will need tools that can access and search raw disk forensic images for evidence of bootkits,” FireEye said. “Similarly, re-installing the operating system after a compromise is no longer sufficient. System administrators should perform a complete physical wipe of any systems compromised with a bootkit and then reload the operating system.”

While BOOTRASH was discovered targeting financial information in the attack disclosed by FireEye, the malware could easily be used to target virtually any data residing in a target system.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.