Security investigators have discovered a new one tool, used by hacking team FIN7 to install new versions of it Carbanak backdoor. It malware called loader BIOLOAD and looks pretty much the same BOOSTWRITE, Another tool also recently linked to FIN7 hackers. The researchers noted that the loader is not easily detected.
Abuse of legal Windows methods
Its security platform Fortinet has maliciously blocked payloads in legitimate Windows processes. Specifically, it detected a malicious DLL in FaceFodUninstaller.exe.
“What makes an intruder executable attractive is the fact that it started with an inbuilt task called FODCleanupTask. This reduces the chances of detection, ”said Fortinet.
The attacker mounts the malicious WinBio.dll in the "\ System32 \ WinBioPlugIns" folder, which hosts the legitimate "winbio" DLL.
As we said above, the new malware loader BIOLOAD looks a lot like the BOOSTWRITE tool. According to Fortinet, the analyzed BIOLOAD samples appeared in March and July 2019, while BOOSTWRITE was found in May.
However, there are some differences between the two loaders. For example, BIOLOAD does not support many payloads. It also uses XOR to decrypt the payload, not the ChaCha cipher.
Although BIOLOAD has been in use for 9 months, it is not easily detected. Only 9 out of 68 antivirus machines (on the VirusTotal scanning platform) recognize WinBio.dll as malicious.
As for the payload installed on the malicious systems, this is a newer version of it Carbanak backdoor.
By analyzing the codes, techniques and the backdoor itself, Fortinet attributes BIOLOAD to the FIN7 hacking team.
This is proof that FIN7 is constantly developing new ones tools to distribute its backdoors.