Bootrash Uses Volume Boot Record to Exploit Financial Services

FireEye reports that FIN1 financial services hackers are making use of bootkit malware to infect organizations.

bootkit malware

Security vendor FireEye today is warning about the increased use of a new type of attack known as a bootkit. The FIN1 financial hacker group has been using the Bootrash bootkit as part of its Nemesis malware to infect organizations, FireEye has reported.

The idea of rootkits—malware that infects the base operations of an operating system—is one that is well-known, while bootkits go a step further.

"A bootkit is a more advanced type of rootkit that infects a system's boot process by targeting the Master Boot Record, Volume Boot Record or boot sector," Michael Oppenheim, intelligence operations manager at FireEye, explained to eWEEK. "The malicious code is executed before the operating system is fully loaded, and the components are stored outside of the Windows file system. This makes it much more difficult to identify and detect."

While FireEye is now warning about the risk of Bootrash, the real-world deployment is still fairly limited. To date, FireEye has observed very few cases involving the use of bootkits by targeted threat actors, according to Oppenheim. That said, the case that FireEye has observed is tied to a financial hacking group that it has identified as FIN. FireEye has observed FIN1 activity dating back to at least 2010.

"We suspect FIN1 may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools," he said. "We cannot speculate on law enforcement's knowledge of the group or any actions they may have taken to apprehend them."

Based on FireEye's analysis, FIN1 is making use of a malware kit identified as Nemesis, which alongside Bootrash includes a collection of attacker backdoors and utilities. In some malware cases, when a malware kit is used, it's possible to identify and block access from infected machines to the command and control node of the malware botnet. However, according to Oppenheim, simply blocking the command and control IP address isn't enough to fully secure an organization.

"While an organization may be able to prevent the backdoor components from communicating with the command and control, it would need to take a more comprehensive approach to ensure all of the malicious components have been removed and that attackers can no longer access the environment," Oppenheim said.

Many modern desktop operating systems now support the Unified Extensible Firmware Interface (UEFI) Secure Boot mechanism, which aims to only enable authorized software to load. Microsoft's latest operating system is among those that make use of Secure Boot, which can help limit the risk of a bootkit.

"It does not appear that with a Secure Boot enabled on the machine that the Bootrash malware would work," Oppenheim said. "Bootrash relies on the BIOS calling it and intercepting BIOS calls. UEFI checks to make sure the boot code it is loading is signed by Microsoft."

Overall though, Oppenheim suggests implementing the best and basic security practices for networks and endpoints to assist in protecting organizations from the Nemesis and Bootrash malware.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.