- Joined
- May 15, 2016
- Messages
- 10,358
- Likes
- 2,620
- Points
- 1,730
The malware has good detection protection and resembles the BOOSTWRITE bootloader.
The FIN7 cybercrime group is armed with the new BIOLOAD tool, used to download more current versions of the Carbanak backdoor. The malware has good detection protection and resembles BOOSTWRITE, another bootloader in the FIN7 arsenal.
BIOLOAD uses a binary installation technique that exploits a method on Windows to search for DLLs. In this way, an attacker can increase privileges in the system or provide persistence.
Fortinet security researchers discovered a malicious DLL in the legitimate FaceFodUninstaller.exe process, which was implemented in clean installations of the Windows operating system starting with Windows 10 (1803). Attackers place the malicious WinBio.dll file in the "\ System32 \ WinBioPlugIns" folder, which contains the legitimate winbio DLL.
Experts have found similarities between BIOLOAD and BOOSTWRITE. The BOOSTWRITE bootloader uses the DLL Search Order Hijacking technique to load its own malicious DLLs into the memory of the infected system, and then it loads the initialization vector and the key needed to decrypt the built-in payloads.
Researchers also noticed some differences. BIOLOAD does not support multiple payloads, and also uses the XOR encoder to decrypt the payload instead of the ChaCha cipher. The connection to the remote server to obtain the decryption key also does not occur in the case of BIOLOAD, since it is configured for each victim’s system and receives the decryption key on its behalf.
According to experts, based on the dates the malware was compiled and its behavior, this bootloader is the forerunner of BOOSTWRITE.
The detected malware demonstrates that FIN7 is actively developing tools to download its backdoors. While BIOLOAD was used to download Carbanak to an infected host, the more recent BOOSTWRITE bootloader was used to download the RDFSNIFFER remote access tool to “crack” the NCR Aloha Command Center client application and interact with victim systems through two-factor authentication.
The FIN7 cybercrime group is armed with the new BIOLOAD tool, used to download more current versions of the Carbanak backdoor. The malware has good detection protection and resembles BOOSTWRITE, another bootloader in the FIN7 arsenal.
BIOLOAD uses a binary installation technique that exploits a method on Windows to search for DLLs. In this way, an attacker can increase privileges in the system or provide persistence.
Fortinet security researchers discovered a malicious DLL in the legitimate FaceFodUninstaller.exe process, which was implemented in clean installations of the Windows operating system starting with Windows 10 (1803). Attackers place the malicious WinBio.dll file in the "\ System32 \ WinBioPlugIns" folder, which contains the legitimate winbio DLL.
Experts have found similarities between BIOLOAD and BOOSTWRITE. The BOOSTWRITE bootloader uses the DLL Search Order Hijacking technique to load its own malicious DLLs into the memory of the infected system, and then it loads the initialization vector and the key needed to decrypt the built-in payloads.
Researchers also noticed some differences. BIOLOAD does not support multiple payloads, and also uses the XOR encoder to decrypt the payload instead of the ChaCha cipher. The connection to the remote server to obtain the decryption key also does not occur in the case of BIOLOAD, since it is configured for each victim’s system and receives the decryption key on its behalf.
According to experts, based on the dates the malware was compiled and its behavior, this bootloader is the forerunner of BOOSTWRITE.
The detected malware demonstrates that FIN7 is actively developing tools to download its backdoors. While BIOLOAD was used to download Carbanak to an infected host, the more recent BOOSTWRITE bootloader was used to download the RDFSNIFFER remote access tool to “crack” the NCR Aloha Command Center client application and interact with victim systems through two-factor authentication.