2022: Distribution in Russia
On July 27, 2022, Positive Technologies specialists warned of the appearance in Russia of a special type of malware that threatens government agencies and industry. We are talking about the so-called bootkits, which are launched before the operating system boots.
Of the 39 bootkit families analyzed by information security experts, at least 70%, 27 families, were used in cyber attacks, with half of them, 14, by APT groups, for example, Careto, Winnti (APT41), FIN1 and APT28. 76% of the viruses studied were designed for an outdated and insecure BIOS.
According to Positive Technologies, the growth of the popularity of bootkits among cybercriminals is facilitated by regular detection of vulnerabilities in firmware.
Back in 2020, Intel stopped BIOS support, but some companies cannot quickly update their IT infrastructure or use hypervisors that recommend using BIOS by default. Because of this, bootkits for BIOS infection still do not lose their relevance. According to our assessment, government agencies and industry are more likely to face such a problem in Russia, "said Yana Yurakova, an analyst at the Positive Technologies research group. |
Experts pay attention to the complexity of developing bootkits, which affects their value in the shadow market. The average cost of renting a bootkit is $4,900. According to the study, for $10 thousand, a cybercriminal can purchase the source code for a bootkit, and for $2000 - get an image to launch. Attackers are ready to pay up to $5,000 for the development of the bootkit.
To deliver bootkits to the infrastructure of organizations, attackers use mainly targeted phishing via email. For example, Mebromi and Mosaic Regressor bootkits are distributed. Sites, including the Drive-by Compromise technique, are becoming another vector of delivery - with the help of this technique, Pitou and Mebroot were infected with malware, and cybercriminals distributing Mebroot hacked more than 1,500 web resources to host malicious code. The FispBoot bootkit hit the device after being infected with the Trojan-Downloader.NSIS.Agent.jd Trojan, which the victim downloaded under the guise of a video.