Threat Management, Incident Response, Malware, TDR

Researchers spot BOOTRASH malware, executes before OS boot

Researchers at FireEye spotted the financial threat group FIN1 targeting payment card data using sophisticated malware dubbed “BOOTRASH” that executes before the operating system boots.

In early 2015, the threat group began using a utility dubbed BOOTRASH that modifies the legitimate system Volume Boot Record (VBR) and hijacks the system boot process to begin loading its malware ecosystem components, dubbed Nemesis, before the Windows operating system code, according to a Dec. 7 blog post.

In order to install BOOTRASH, the malware performs a complex multistep process that includes system checks, calculating available space and creating a virtual file system, hijacking the boot sector, installing the malware's ecosystem component, and ultimately hijacking the boot process.

“The goal is to maintain persistence on the target systems.  The malware is unique because it has a component that loads in the Volume Boot Record, making it hard to detect and remove,” Wayne Crowder, director of threat intelligence, RiskAnalytics told via email correspondence.

BOOTRASH also contains an uninstall option in case the threat actors want to remove the hijacking process. The process will restore the original boot sector but won't remove the custom virtual file system or backup VBR that the malware created, the FireEye post said.

Researchers said in the blog the group also uses a rarely seen technique known as a “bootkit” to infect lower-level system components making it very difficult to identify and detect.

The bootkit is difficult to detect because it has the potential to be installed and executed almost completely outside of the Windows operating making it undetectable to typical operating system integrity checks, the post said.

The location of the malware's installation allows it to persist even after a user reinstalls the operation system which is widely considered the most effective way to eradicate malware, the blog said.

Researchers recommend that incident responders used tools that can access and search raw disks at scale for evidence of bootkit and advised system administrators to perform a complete physical wipe of the compromised system before reloading the operating system.

“The group appears to be organized and will do what is needed to stay ahead of the security controls that may be in place to detect or block their malicious activity. The sharing of IOC's in a timely matter is crucial to detect further infections and stop the spread of these tactics,” Crowder said.

Crowder said that a multilayered defense would be the best way for a user to avoid infection.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.