Nemesis financial malware kit gains bootkit capabilities, extra stealth

A threat group that steals mostly payment card data from financial services organizations has added a bootkit utility to their malware toolkit. This new capability assures the persistence of their malware in the target organizations’ systems even after OS reinstallation.

FireEye researchers identify the group as FIN1, and believe it to be located in a Russian-speaking country. The researchers discovered their presence during a recent investigation at an unnamed organization in the financial industry.

“Nemesis, the malware ecosystem used by FIN1, includes comprehensive backdoors that support a variety of network protocols and communication channels for command and control. It provides a robust set of capabilities, including: file transfer, screen capture, keystroke logging, process injection, process manipulation, and task scheduling,” they explained.

“The threat group continually updated the Nemesis malware during their ongoing access to the victim environment, deploying several different variants of the same tools and adding functionality between iterations. In early 2015, FIN1 updated their toolset to include a utility that modifies the legitimate system Volume Boot Record (VBR) and hijacks the system boot process to begin loading Nemesis components before the Windows operating system code. We refer to this utility as Bootrash.”

In short, a normal boot process goes like this:

A boot process hijacked by the attackers looks like this:

The Bootrash installer won’t install if there’s already a copy of it running on the system, or if the Microsoft .NET 3.5 framework is not installed on the system. Also, it will not install the bootkit on any hard disk that uses the modern GUID Partitioning Table disk architecture.

“Bootkits, such as Bootrash, are very difficult to detect because they have the potential to be installed and executed almost completely outside of the Windows operating system,” the researchers explained the main problem that this new development presents to defenders.

“Because the malicious boot loader executes before Windows itself is fully loaded, it is not subject to typical operating system integrity checks.The components used to load the malware payload are not scanned by anti-virus software, because they are stored in a VFS outside the Windows file system. In addition, the malware components themselves are stored either in the VFS or the Windows registry – another location not typically scanned by anti-virus. This leaves live memory as the only location where the malware is likely to be detected; and unless the bootkit and VFS components are removed, the malware will execute and load every time the system starts. Wiping the operating system partition and re-installing will not remove the bootkit or VFS components written to unallocated space.”

Defenders are advised to use tools that can access and search raw disks at scale for evidence of bootkits, and to perform a complete physical wipe of any system that has been compromised.

FireEye has also shared MD5 hashes of files associated with the threat.