Malware descriptions

The Chinese bootkit

We recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a. The bootkit is distributed by Trojan-Downloader.NSIS.Agent.jd. The Trojan infects the computers of users who try to download a video clip from a fake Chinese porn site.

This downloader is remarkable in that it downloads other malicious programs using a NSIS engine and stores all links in the relevant NSIS-script.

Fragment of the NSIS script for Trojan-Downloader.NSIS.Agent.jd

The dropper Rootkit.Win32.Fisp.a is among the files downloaded by the Trojan-downloader. This malicious program infects the hard drive’s boot sector. More specifically, it saves the old MBR to the third sector and replaces it with its own. Starting with the fourth sector, it installs an encrypted driver and the remaining code.

Fragment from the start of the hard disk infected by Rootkit.Win32.Fisp.a

The malicious program gains control as soon as the infected computer boots. The first thing it does is to substitute the INT 13h interrupt by modifying the interrupt vector table. Then the bootkit restores the original MBR and resumes the normal boot process.

Once a specific part of the system has been booted, the bootkit intercepts the function ExVerifySuite. The installed hook replaces the system driver fips.sys with the malicious driver which was written to the start of the hard drive in an encrypted format. It should be noted that the driver fips.sys is not required for the operating system to run correctly, so the system won’t crash when it is replaced.

Launched processes are intercepted by the malicious driver using PsSetLoadImageNotifyRoutine. The hook processes the PE header in the loaded image by viewing the ‘Security’ section of the ‘DataDirectory’ array. The driver contains a list of strings (see below) that occur in the processes of popular antivirus programs. If any of these strings occurs in a process, the driver modifies the entry point in the loaded image, so the image can no longer function properly.

Beijing Rising Information Technology
AVG Technologies
Trend Micro
Symantec Corporation
Kaspersky Lab
ESET, spol
Beijing Jiangmin
Kingsoft Software
Keniu Network Technology (Beijing) Co
Qizhi Software (beijing) Co,

The driver’s main function is to penetrate the explorer.exe process and inject an alternative version of Rootkit.Win32.Fisp.a which has downloader functionality. The malicious program sends a request to the server in which it communicates information about the victim computer’s operating system, IP address, MAC address etc.

http://ab.*****.com:8081/tj.aspx?a=Windows XP Service Pack 2&b=

Example of the request sent to server

The malicious program subsequently downloads modifications of Trojan-Dropper.Win32.Vedio.dgs and Trojan-GameThief.Win32.OnLineGames.boas to the victim computer.

The description outlined above can be summarized in the following diagram:

Kaspersky Lab products successfully detect and neutralize Rootkit.Win32.Fisp.a.

The Chinese bootkit

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox