Show vulnerabilities with patch / with exploit
31 December 2019

FIN7 uses new BIOLOAD loader to install Carbanak backdoor on infected devices


FIN7 uses new BIOLOAD loader to install Carbanak backdoor on infected devices

The financially-motivated cybercriminal group known as FIN7 has updated it arsenal with a new toy designed to load fresh variants of the Carbanak backdoor on compromised systems. Dubbed BIOLOAD, the malware has a low detection rate and shares some similarities with BOOSTWRITE, another loader in FIN7’s toolkit, according to a latest blog post from Fortinet’s threat research team.

The group has been active since late 2015 and mainly concentrates on targeting businesses worldwide to steal payment card information. FIN7 is believed to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

The malware relies on a technique called binary planting (DLL search order hijacking) that abuses a method used by Windows to search for DLLs required to load into a program. Researchers found a malicious DLL in FaceFodUninstaller.exe binary that exists on clean Windows OS installations starting Windows 10 1803. The executable is dependent on winbio.dll, which is usually found in the parent directory (“%WINDR%\System32”).

“What makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named FODCleanupTask, thereby minimizing the footprint on the machine and reducing the chances of detection even further. This demonstrates the group’s ongoing technological research efforts,” the researchers wrote.

The attackers inject the loader file (WinBio.dll) in the "\System32\WinBioPlugIns" folder, thus leveraging the default DLL search order. As researchers noted, in order to plant the malware the attacker needed to have elevated privileges on the victim’s machine such as administrator or a SYSTEM account.

The samples of BIOLOAD loader examined by the team were compiled in March and July 2019, while the samples of BOOSTWRITE were compiled in May. The BIOLOAD loader somewhat differs from BOOSTWRITE in functionality, namely it does not support multiple payloads and uses XOR to decrypt the payload instead of the ChaCha cipher, also it doesn’t connect to a remote server to obtain the decryption key instead deriving the decryption key from the victims’ name.

The BIOLOAD loader was used in attacks to deliver the latest versions of the Carbanak backdoor that, according to their timestamps, were compiled in January and April of 2019.

“This is the first public case of FaceFodUninstaller.exe being abused as host process by a threat actor. The shared codebase with recent tools attributed to FIN7, together with the same techniques and backdoor, allows to attribute this new loader to the cybercrime group. The timestamps, together with simpler functionality, suggest BIOLOAD is a preceding iteration of BOOSTWRITE. Since the loader is specifically built for each targeted machine and requires administrative permissions to deploy, it suggests the group gathers information about its targets’ networks,” the researchers noted.

 

Back to the list

Latest Posts

Weekly security roundup: May 25

Weekly security roundup: May 25

A massive cyber attack against Israeli websites,the EasyJet's data breach, the arrest of a hacker known as Sanix, responsible for selling billions of hacked user credentials, and more.
25 May 2020
A huge Thai database leaked 8.3 billion internet records

A huge Thai database leaked 8.3 billion internet records

According to the researcher, anyone having access to this data can “paint a picture of what a person does on the Internet.”
25 May 2020
Air transport and government agencies in Kuwait and Saudi Arabia targeted by Iranian-linked Chafer APT

Air transport and government agencies in Kuwait and Saudi Arabia targeted by Iranian-linked Chafer APT

The attacks appear more focused and sophisticated on victims from Kuwait.
25 May 2020