Malicious Boot loaders

Cybercriminals are always looking for new ways to infect systems – ideally without being noticed until it’s too late. The sky is the limit for their creativity, as the latest wave of malicious boot loaders shows. The kit has been pioneered by Brazilian Trojan bankers who aim to remove security software.

This non-traditional infection only affects systems using ntldr, the default boot loader on Windows NT up to and including Windows XP and Windows Server 2003. This choice was no coincidence – XP is still the most popular OS in several countries, including Brazil, where it runs on nearly 47% of all machines.

A tiny 10 KB malicious file flagged as Trojan-Downloader.Win32.VB.aoff linked in an e-mail starts the infection. It downloads 2 new files hosted at Amazon WS Cloud
xp-msantivirus (1.83 MB) and xp-msclean (7.4 MB) – to the system, renames the legitimate ntldr to ntldr.old and finally installs a new file to be a new malicious boot manager – an edited version of GRUB tailored to run the file menu.lst:

The malicious boat loader called ntldr: a modified copy of GRUB

In due course the file menu.lst will be responsible to call the file xp-msantivirus in the boot:

Content of the file menu.lst. The message says: “Initializing Microsoft Malicious Software Removal Tool”

The files xp-msantivirus and xp-msclean are *nix boot images especially prepared by the criminals to remove some security files during the boot. Not surprisingly, the main targets are files belonging to a very popular security plug-in used by Brazilian banks called GBPlugin, installed in around 23 million machines. The malicious boot loader also aims to remove files from Microsoft Security Essentials, Windows Defender, and others:

Once the infection is completed, the Trojan forces the system to reboot…

“Windows Update is rebooting your system to complete the installation of Critical Security Updates”

…and all the changes take place. The malicious boot loader displays some fake messages, claiming to be the Microsoft Malicious Software Removal Tool:

“Malicious Software Removal Tool (KB890830) Do not turn off or disconnect the machine until the end of this process”

To justify the long boot time, another message is displayed that states the system is infected and “malicious files” are being removed:

“Please wait while the operation is performed. Do not turn off or reboot your computer.

ATTENTION: virus-infected files were found on your computer. The virus removal process has started. This process may take a while, depending on the quantity of infected virus files found. Don’t turn off or reboot your machine during this process, wait for its completion and your computer will be rebooted automatically.”

Finally when the boot process ends, the malicious boot loader erases itself and sets the clean ntldr as active – its mission is accomplished and a Trojan banker flagged as Trojan-Downloader.Win32.Banload.bqmv remains running in the infected machine, ready to steal Internet banking credentials.

Of course, all these malicious changes in the system are helped by a lot of other factors like running an OS using an administrative account, etc. The malicious boot loader is detected and spotted by Kaspersky Antivirus as Trojan.Boot.Burg.a.

Thanks to my colleague Vyacheslav Zakorzhevsky for the help

Malicious Boot loaders

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox