A previously undetected FIN7 BIOLOAD loader drops new Carbanak Backdoor

Experts uncovered a new tool dubbed BIOLOAD used by the FIN7 cybercrime group used as a dropper for a new variant of the Carbanak backdoor.

Security experts from Fortinet’s enSilo have discovered a new loader, dubbed BIOLOAD, associated with the financially-motivated group FIN7.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

In August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The BIOLOAD loader shares similarities with BOOSTWRITE, another loader associated with the FIN7 group that is able to drop the malware directly in memory.

The loader implements the binary planting technique, a DLL hijacking method, to load malicious code into a legitimate program.

Fortinet’s enSilo researchers found a malicious DLL in FaceFodUninstaller.exe binary that exists on clean Windows OS installations starting Windows 10 1803.

Experts discovered that attackers planted a malicious WinBio.dll in the “\System32\WinBioPlugIns” folder where the legitimate DLL ‘winbio‘ is located.

“What makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named FODCleanupTask, thereby minimizing the footprint on the machine and reducing the chances of detection even further” continues the analysis.

The samples of BIOLOAD loader analyzed by the experts were compiled in March and July 2019, while the samples of BOOSTWRITE were compiled in May.

Unlike the BOOSTWRITE loader, BIOLOAD does not support multiple payloads and uses XOR to decrypt the payload instead of the ChaCha cipher.

Another difference is that BIOLOAD doesn’t connect to a remote server to obtain the decryption key because it derives the decryption key from the victims’ name.

Experts pointed out that the BIOLOAD’s WinBio.dll is still detected by a limited number of antivirus on VirusTotal scanning platform despite it was compiled nine months ago.

The loader was used in attacks to deliver a version of the notorious Carbanak that shows timestamps from January and April 2019. Experts noticed that these new Carbanak samples implement more checks for antivirus solutions running on the infected machines than previous ones.

The analysis of the malware and the TTPs observed in the attacks suggest that BIOLOAD was developed by FIN7 cybercrime group and that it is likely a precursor of BOOSTWRITE.

“This is the first public case of FaceFodUninstaller.exe being abused as host process by a threat actor. The shared codebase with recent tools attributed to FIN7, together with the same techniques and backdoor, allows to attribute this new loader to the cybercrime group. The timestamps, together with simpler functionality, suggest BIOLOAD is a preceding iteration of BOOSTWRITE.” Fortinet concludes.

“Since the loader is specifically built for each targeted machine and requires administrative permissions to deploy, it suggests the group gathers information about its targets’ networks.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – FIN7, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]