Nemesis stealth bootkit hijacks Windows' boot process

— 4:33 PM on December 7, 2015

FireEye has uncovered a new piece of malware targeting financial institutions that it's calling Nemesis. This strain of malware is made by a group FireEye calls FIN1, and it's a particularly nasty bug. Once it's introduced to a system, Nemesis hooks into Windows' boot process while remaining next to undetectable from inside the OS. The FIN1 attackers can then exfiltrate nearly any piece of data from an infected system.

Nemesis accomplishes its nefarious task by replacing Windows' MBR. The malware first installs its own custom file system in the free space between disk partitions before hijacking the machine's MBR and redirecting the boot process through its own code. When the infected machine boots up, it also fires up Nemesis. The malware brings up its own virtual system and a number of BIOS-related hooks before passing control back to the Windows boot loader. Nemesis doesn't stop there, though—the several hooks it uses allow it to piggyback several of its components onto Windows' kernel-loading process.

According to FireEye, Nemesis' capabilities include file transfer, screen and keystroke capture, process manipulation, and task scheduling. Since Nemesis' boot code executes before Windows loads and the malware components are stored in its own virtual file system or Windows' registry, it's very hard for anti-virus packages to detect it. To make matters worse, reinstalling the operating system accomplishes nothing—only a full disk wipe will give any guarantee of removing the boot code. Nuking it from orbit is the only way to be sure.

Not all hope is lost, though. Nemesis doesn't install itself on GPT disks, and although FireEye didn't specifically say so, it's possible that UEFI Secure Boot could stop the malware dead in its tracks.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.