Researchers at Fortinet discovered a new method of setting a Carbanak backdoor in the victim’s system via BIOLOAD malware. This was attributed to the infamous cybercrime group Fin7 and its previous technique, BOOSTWRITE.
DLL is a library file that stores multiple codes for several programs in Windows OS. While the system uses a common search for finding relevant DLLs, abusers leverage this feature to dump malicious DLL. This process is known as binary planting and can give attackers further access into the host system.
Hiding Within Legitimate Files
Uncovered by Fortinet Cyber group, the abused file is named to be FaceFodUninstaller.exe, which is stored within a legitimate file System32\WinBioPlugIns alongside WinBio.dll. This path is legitimate storage for winbio.
They’ve found this while blocking the malicious payloads using their enSilo endpoint security platform. They said, “What makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named FODCleanupTask, thereby minimizing the footprint on the machine and reducing the chances of detection even further”.
Fortinet describes this BIOLOAD was compiled in March and July this year, according to timestamps in their code. Further, as this DLL doesn’t support multiple payloads, it uses XOR to decrypt the dump instead of ChaCha cipher. And as every malware of this is customized specifically for each victim, BIOLOAD doesn’t contact a remote server for any decryption keys, but rather depends on machine name it’s infecting.
Connecting To Fin7
This technique is attributed to a popular hacking group, Fin7. The bunch is directly interested in money rather than data and has records for hacking many banks for it.
The affecting methodology of this new BIOLOAD is attributed to BOOSTWRITE, a similar loader with encrypted DLL payload. The final aim of these DLL dumps is to frame a Carbanak backdoor, which let hackers gain admin access and do whatever they want.
The techniques they use as BIOLOAD, not contacting remote servers, FODCleanupTask etc makes the malware go undetectable. It’s so sophisticated that, at present, only 22 of 60+ antivirus softwares flag this as harmful at VirusTotal.