The financially-motivated cybercriminal group known as FIN7 has updated it arsenal with a new toy designed to load fresh variants of the Carbanak backdoor on compromised systems. Dubbed BIOLOAD, the malware has a low detection rate and shares some similarities with BOOSTWRITE, another loader in FIN7’s toolkit, according to a latest blog post from Fortinet’s threat research team.
The group has been active since late 2015 and mainly concentrates on targeting businesses worldwide to steal payment card information. FIN7 is believed to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.
The malware relies on a technique called binary planting (DLL search order hijacking) that abuses a method used by Windows to search for DLLs required to load into a program. Researchers found a malicious DLL in FaceFodUninstaller.exe binary that exists on clean Windows OS installations starting Windows 10 1803. The executable is dependent on winbio.dll, which is usually found in the parent directory (“%WINDR%\System32”).
“What makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named FODCleanupTask, thereby minimizing the footprint on the machine and reducing the chances of detection even further. This demonstrates the group’s ongoing technological research efforts,” the researchers wrote.
The attackers inject the loader file (WinBio.dll) in the "\System32\WinBioPlugIns" folder, thus leveraging the default DLL search order. As researchers noted, in order to plant the malware the attacker needed to have elevated privileges on the victim’s machine such as administrator or a SYSTEM account.
The samples of BIOLOAD loader examined by the team were compiled in March and July 2019, while the samples of BOOSTWRITE were compiled in May. The BIOLOAD loader somewhat differs from BOOSTWRITE in functionality, namely it does not support multiple payloads and uses XOR to decrypt the payload instead of the ChaCha cipher, also it doesn’t connect to a remote server to obtain the decryption key instead deriving the decryption key from the victims’ name.
The BIOLOAD loader was used in attacks to deliver the latest versions of the Carbanak backdoor that, according to their timestamps, were compiled in January and April of 2019.
“This is the first public case of FaceFodUninstaller.exe being abused as host process by a threat actor. The shared codebase with recent tools attributed to FIN7, together with the same techniques and backdoor, allows to attribute this new loader to the cybercrime group. The timestamps, together with simpler functionality, suggest BIOLOAD is a preceding iteration of BOOSTWRITE. Since the loader is specifically built for each targeted machine and requires administrative permissions to deploy, it suggests the group gathers information about its targets’ networks,” the researchers noted.
