Bootrash Uses Volume Boot Record to Exploit Financial Services
FireEye reports that FIN1 financial services hackers are making use of bootkit malware to infect organizations.Security vendor FireEye today is warning about the increased use of a new type of attack known as a bootkit. The FIN1 financial hacker group has been using the Bootrash bootkit as part of its Nemesis malware to infect organizations, FireEye has reported. The idea of rootkits—malware that infects the base operations of an operating system—is one that is well-known, while bootkits go a step further. "A bootkit is a more advanced type of rootkit that infects a system's boot process by targeting the Master Boot Record, Volume Boot Record or boot sector," Michael Oppenheim, intelligence operations manager at FireEye, explained to eWEEK. "The malicious code is executed before the operating system is fully loaded, and the components are stored outside of the Windows file system. This makes it much more difficult to identify and detect." While FireEye is now warning about the risk of Bootrash, the real-world deployment is still fairly limited. To date, FireEye has observed very few cases involving the use of bootkits by targeted threat actors, according to Oppenheim. That said, the case that FireEye has observed is tied to a financial hacking group that it has identified as FIN. FireEye has observed FIN1 activity dating back to at least 2010.
"We suspect FIN1 may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools," he said. "We cannot speculate on law enforcement's knowledge of the group or any actions they may have taken to apprehend them."