IT experts at a company called FireEye have found a financial threat group FIN1 that targets card-payment data using state of the art going by “BOOTRASH”. This malware executes before the operating system starts.
Earlier this year, this malware was introduced. The threat group utilized this malware to change the correct system Volume Boot Record (VBR). After successful modification of the VBR, this malware takes over the booting process and processes its features before the operating system loads.
The malware installs in the system of the computer by performing a series of procedures. The malware loads into the system by performing system checks, creating virtual file system after calculating the space, attacking the boot process, installing the features and components of the malware and completely taking over the startup process.
“The main focus of the threat is to remain in the victim system for long. BOOTRASH stands out from other viruses since it attacks the VRB, which makes detection and eradication hard,” said Wayne Crowder of RiskAnalytics.
BOOTRASH can be uninstalled. The option to uninstall would be used by the enactors of the threat in case they had the intention to prevent it from hijacking the boot process. The original boot sector will be restored, but the virtual file created by the malware will not be removed, and the backup VBR created by the malware will not be removed, a post by FireEye claimed.
Experts in that company also highlighted that the group that created this malware have used a very rare technique, bootkit, which attacks low-level components of computers; this makes it very difficult to detect the malware. Bootkit is a technique of execution that is rarely detected since it installs and executes outside the OS. Typical system check will not identify the malware; the post continued to explain.
The location where the malware installs makes it extremely persistent. The malware is still likely to infect a computer even after flushing the OS and installing a new one. Re-installing the operating system is considered one of the best ways to remove malware and viruses. The blog post advised that people should use tools that carry out a deep search in the raw disks to spot bootkit. Compromised systems should be manually formatted before the operating system can be reloaded.
“The group is equipped and very organized. It has the knowledge and expertise to put systems that will bypass any security protocol placed to detect their heinous activities. To stop more infections of the malware, sharing IOCs is very important as it will stop the spread”.
Crowder also pointed out that a multi layered security system would be the best way to stop further infection.