Researchers at FireEye have discovered a new form of malware targeting financial institutions. The malware, part of the Nemesis family of viruses, is designed to steal payment card data. It is also capable of performing a variety of malicious tasks, including unauthorized file transfers, screen capture, keylogging (recording keystrokes), process injection, process manipulation and scheduling system tasks. The security researchers who discovered the virus attribute the attack to a cybercrime group they call FIN1 “which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools.” The group is “known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.”

A notable aspect of the malware infection is its bootkit capabilities, as it surreptitiously installs itself on a hard drive and gains unauthorized access to sensitive parts of the system, in this case the 'boot' components utilized to start the computer. The malware runs independent of the operating system and executes its malicious code even before Windows loads, running malicious components as soon as the user hits the power button. This makes this malware strain difficult to detect using traditional antivirus tools. It can also remain on the hard drive after the operating system has been completely reinstalled. Infected systems require the thorough deletion of all hard drive content to eradicate the infection. 

The researchers at FireEye have observed similarly complex malware used to steal intellectual property from companies in other industries. They note that, “The selective use of bootkits for persistence suggests some threat actors may have access to more sophisticated toolsets. The threat actors may selectively deploy these advanced toolsets when the victim organization is difficult to penetrate or if the targeted data is of high value and the threat actors want to ensure continued access to the compromised environment.”