Developers Club geek daily blog

2 years, 10 months ago
Specialists of the FireEye company published data on a butkit under the name BOOTRASH which is used by cybergroup with the name FIN1. FIN1 resorts to use of different malicious software under the general name Nemesis for a compromise of banks and payment terminals. FireEye specifies that the cybergroup uses the mechanism of infection of system at the level of sectors of the hard drive, compromising the known structure of Volume Boot Record (VBR) in which data structures of file system and a code of the loader are located.

Specialists of FireEye found new butkit

The so-called platform of malefactors of Nemesis includes a set of different files and tools, including the keylogger, tools of a file transfer, capture of screenshots and management of the working processes. All these tools are used by malefactors for theft of financial information at banks and payment terminals.

Specialists of FireEye found new butkit
Fig. Loading process of OS in the system (hijack the system boot process) compromised with BOOTRASH. The part of a malicious code of an early stage of loading is located in own file system of malicious software under the name Virtual File System (VFS) which is located behind data of volume.

For storage of the files Nemesis, BOOTRASH uses a free space between disk partitions for the organization of the file system. For the rest, the behavior of BOOTRASH a little in what differs from normal butkit about which we wrote earlier. Such important files necessary for its functioning as vbr.bin, vbs.bin, and also bootldr.sys are stored in file system of a butkit. Other performed and data files can be stored both in VFS, and as binary data in the section of the register HKCU\.Default\Identities. In the table such components are provided below.

Specialists of FireEye found new butkit

Storage of files of a malicious application in sectors of the hard drive and the organization of own file system represents a good method of concealment of the presence both for the user's eyes, and in relation to AV scanners and security-products which specialize in the analysis of file systems. Nevertheless, the majority of such products are able to scan on presence of a malicious code both MBR, and VBR today, recovering a necessary bootstrap-code or a code of the loader in these critical sectors. Having lost the code in these important sectors, butkit loses a possibility of execution of further operations, including, activation of payload that is bad news to malefactors.

Dropper BOOTRASH has the following MD5 identifier: 372f1e4d2d5108bbffc750bb0909fc49.

This article is a translation of the original post at
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here:

We believe that the knowledge, which is available at the most popular Russian IT blog, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus