Pierluigi Paganini
December 08, 2015
Experts at FireEye have discovered a new strain of malware designed to steal payment card data. Nothing new, you are probably saying, but this malware dubbed Nemesis is very difficult to detect and remove.
FireEye has identified the threat actor behind the new Nemesis malware, it is the hacking crews FIN1, which is suspected of being a group of criminals from Russia.
The FIN1 criminal gang has been known to target financial institutions worldwide, it used the Nemesis malicious code to compromise an unknown organization that processes financial transactions.
Organizations in the retail industry who manage payment card data are privileged targets of cyber criminal gangs, Target, Home Depot, Neiman Marcus are just a names of illustrious victims of the cyber crime.
Nemesis belong to the family of malware identified as bootkit, BIOS bootkits was mentioned when Snowden disclosed the catalog of surveillance tools used by the NSA ANT division, these malware are able to compromise the BIOS of the victim’s machine ensuring persistence and implementing sophisticated evasion techniques.
“In September, Mandiant Consulting identified a financially motivated threat group targeting payment card data using sophisticated malware that executes before the operating system boots. This rarely seen technique, referred to as a ‘bootkit’, infects lower-level system components making it very difficult to identify and detect.” states FireEye in a blog post“The malware’s installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware.”
Even when the operating system is reinstalled, the bootkit can remain in place.
“Malware with bootkit functionality can be installed and executed almost completely independent of the Windows operating system,” the post continues.
In early 2015, the FIN1 threat actors added to its arsenal a utility that modifies the legitimate system Volume Boot Record (VBR) and hijacks the system boot process, in this way the criminals ensure the loading of the Nemesis malware before the Windows operating system. The utility was called by the experts at FireEye BOOTRASH, the only way to detect it is to use a raw disk scanner.
“Similarly, re-installing the operating system after a compromise is no longer sufficient. System administrators should perform a complete physical wipe of any systems compromised with a bootkit and then reload the operating system.”
The experts at FireEye Mandiant have found the bootkit by using a tool called Mandiant Intelligent Response (MIR) that allows for raw disk access and scan.
(Security Affairs – Nemesis malware, cybercrime)
