Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Russian Hackers Using Bootkit to Steal Payment Data

“FIN1” Attackers Use Hard to Detect BOOTRASH Malware to Steal Financial Data

Incident responders from FireEye’s Mandiant group have discovered new tactics being used by cybercriminals to steal payment card data using highly sophisticated malware that hijacks the system boot process and executes before the operating system (OS) loads.

“FIN1” Attackers Use Hard to Detect BOOTRASH Malware to Steal Financial Data

Incident responders from FireEye’s Mandiant group have discovered new tactics being used by cybercriminals to steal payment card data using highly sophisticated malware that hijacks the system boot process and executes before the operating system (OS) loads.

Using the advanced “bootkit” malware that infects lower-level system components, the threat group known as “FIN1” by FireEye is believed to have Russian roots and was witnessed using the malware to compromise a target victim and steal cardholder data.

The longest running cybercrime group tracked by FireEye, FIN1 is known for stealing data from financial services organizations such as banks, credit unions, ATM operations, and other financial transaction service companies.

FireEye said that FIN1 traditionally deploys various forms of malware and attack tools under a “malware ecosystem” known as ‘Nemesis’ by the developer(s).

Difficult to identify and detect, FireEye said it first discovered the new bootkit activity during a recent investigation at a customer involved in financial transaction processing. 

“In early 2015, FIN1 updated their toolset to include a utility that modifies the legitimate system Volume Boot Record (VBR) and hijacks the system boot process to begin loading Nemesis components before the Windows operating system code. We refer to this utility as BOOTRASH,” FireEye explained in a report published Dec 7.

While FireEye did not provide many details on the attack itself, or suggest how many targets may have been hit with the malware, the security firm did provide some technical details on the bootkit malware used by FIN1.

Prior to installation, the BOOTRASH installer, which is capable of deploying 32-bit or 64-bit versions of Nemesis components, gathers statistics about the system, including the operating system version and architecture.

The installer will install the bootkit on any hard disk that has a MBR boot partition, FireEye said, noting that if the partition uses the GUID Partition Table disk architecture, as opposed to the MBR partitioning scheme, the malware installation process will stop.

The malware also checks to see if a copy of BOOTRASH is already running on the system and checks to see if the Microsoft .NET 3.5 framework is installed, which is required for the malware to run. If the BOOTRASH installer is already running or the appropriate.NET framework is not installed, the malware will quit, FireEye said.

Interestingly, BOOTRASH also has the capability of restoring the original boot sector in the event that the attackers want to remove the hijacking process. However, FireEye said the feature only restores the original boot sector and does not remove a custom virtual file system or the backup VBR created by BOOTRASH.

Along with the details of the BOOTRASH malware, FireEye published a list of MD5 hashes associated with the threat, none of which SecurityWeek was able to locate the presence of in VirusTotal at the time of publishing.  

“Bootkits, such as BOOTRASH, are very difficult to detect because they have the potential to be installed and executed almost completely outside of the Windows operating system,” FireEye explained. “Because the malicious boot loader executes before Windows itself is fully loaded, it is not subject to typical operating system integrity checks.”

Because malicious components used to inject the malware are stored in a VFS outside the Windows file system, they are not scanned by anti-virus software, FireEye said.

“As a result, incident responders will need tools that can access and search raw disk forensic images for evidence of bootkits,” FireEye said. “Similarly, re-installing the operating system after a compromise is no longer sufficient. System administrators should perform a complete physical wipe of any systems compromised with a bootkit and then reload the operating system.”

While BOOTRASH was discovered targeting financial information in the attack disclosed by FireEye, the malware could easily be used to target virtually any data residing in a target system.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.