Researchers spot BOOTRASH malware, executes before OS boot

Stealthy and fast: Nemesis now installs and executes before the system boots
Stealthy and fast: Nemesis now installs and executes before the system boots

Researchers at FireEye spotted that the financial threat group FIN1 has upgraded its Nemesis malware family to include BOOTRASH, a bootkit virus. 

Bootkits are a rarely seen type of malware that execute before the operating system boots, making them harder to detect and remove. According to a FireEye blog post, FIN1 started using BOOTRASH in early 2015. 

Bootkits modify the legitimate system Volume Boot Record (VBR) to hijack the system boot process and load its malware ecosystem components before the Windows operating system code.

In order to install BOOTRASH, the malware performs a complex multistep process that includes system checks, calculating available space and creating a virtual file system, hijacking the boot sector, installing the malware's ecosystem component and ultimately hijacking the boot process.

“The goal is to maintain persistence on the target systems.  The malware is unique because it has a component that loads in the Volume Boot Record, making it hard to detect and remove,” Wayne Crowder, director of threat intelligence, RiskAnalytics told SCMagazine.com via email correspondence.

BOOTRASH also contains an uninstall option in case the threat actors want to remove the hijacking process. The process will restore the original boot sector but won't remove the custom virtual file system or backup VBR that the malware created, the FireEye post said.

The location of the malware's installation allows it to persist even after a user reinstalls the operation system which is widely considered the most effective way to eradicate malware, the blog said.

Researchers recommend that incident responders use tools that can access and search raw disks at scale for evidence of bootkit and advised system administrators to perform a complete physical wipe of the compromised system before reloading the operating system.

“The group appears to be organised and will do what is needed to stay ahead of the security controls that may be in place to detect or block their malicious activity,” Crowder said.

Crowder said that a multilayered defence would be the best way for a user to avoid infection.  

Tim Erlin, director of security and product management at Tripwire said the industry should be prepared for the inevitable evolution of malware. "While it's important to work on tools to detect specific malware, implementing tools to identify suspicious changes in the environment provides a solid defence in depth strategy. Even the stealthiest malware has an objective, most often making changes in the environment or moving data across the network to accomplish it. Security teams should be working to identify these behaviours, in addition to installing more basic detective tools.”