Windows Pre-Boot Malware Puts Financial Industry At Risk
Security researchers from FireEye discovered Windows pre-boot malware (or bootkit) on the machines of a customer from the financial transactions market. FireEye believes the malware belongs to a financial crime group from Russia, called FIN1.
"We identified the presence of a financially motivated threat group that we track as FIN1, whose activity at the organisation dated back several years", FireEye reported. "The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as 'Nemesis' by the malware developer(s)."
A "bootkit" can infect lower-level system components, which makes identifying it quite difficult. It’s also highly persistent and will not be removed by re-installing the Windows operating system. The malware supports a wide array of backdoors and capabilities, which include file transfer, screen capture, keystroke logging, process injection, process manipulation, and task scheduling support.
Once a target computer is infected with the Nemesis malware, it can be further updated to include more hacking tools and functionality. In early 2015, the FIN1 group updated Nemesis to include a utility that modifies the Volume Boot Record (VBR) and hijacks the system boot process to begin loading malware components before Windows system code. FireEye called this utility BOOTRASH.
Source: Tom's Hardware