FIN7 is a financially motivated group of threat actors who specialize in attacks against businesses in different regions. One of their notable malware families is BOOSTWRITE, and cybersecurity researchers uncovered another malware family that appears to share similarities with BOOSTWRITE recently – the new threat is dubbed BIOLOAD. BIOLOAD fulfills the purpose of a Trojan Loader – a piece of malware that is meant to load a harmful payload and execute it on the compromised hos securely.

Often, Trojan loaders have exchangeable payloads, but the case of BIOLOAD is a bit different – the malware is custom-tailored for every system it infects. It carries a unique payload that is encrypted, and the BIOLOAD Loader gets the decryption key by using the compromised computer's name in combination with other information embedded in the loader's file.

So far, FIN7 has been using BIOLOAD with just one threat – the infamous Carbanak Banking Trojan. It is possible that the BIOLOAD loader may be used with other malware families in the future, but at the moment, there have been no documented uses of other malware.

BIOLOAD loads the embedded payload by creating a new scheduled task that is programmed to launch the payload 30 seconds after Windows boots up. The malware also has basic anti-debugging and sandbox evasion modules that enable it to detect environments used for malware research, and stop the attack process.

FIN7 has opted to go for targeted attacks when using the BIOLOAD Loader, and it seems that the group may have used reconnaissance tools to gather intelligence about the targets of the BIOLOAD campaign.


Most Viewed