BIOLOAD

Financially motivated threat actors often work with silent malware that enables them to perform long-term reconnaissance operations and attacks that aim to exfiltrate sensitive data from their victim's network. One of the most famous names in this cybercrime sector is FIN7, a group of hackers who use custom-developed malware to carry out their threatening operations. One of the recent additions to their arsenal is BIOLOAD, a Trojan Loader that does nothing on its own, and it is always used in combination with another payload. In FIN7's recent campaigns, they have almost always used BIOLOAD in combination with Carbanak, a banking Trojan.

The purpose of BIOLOAD is to ensure that Carbanak will run on the remote computer without triggering its defense systems, as well as to ensure that the Trojan will continue to work if the computer is restarted. The primary features of BIOLOAD allow it to identify and evade malware-debugging environments, as well as to manipulate the Windows Task Scheduler to ensure that the Carbanak Trojan will be run if the system is restarted. By default, BIOLOAD sets the Carbanak Trojan to run 30 seconds after Windows starts.

FIN7 Utilizes BIOLOAD to Deliver the Carbanak Trojan

One of the peculiar things about this Trojan Loader is that the attackers always use custom-made copies of the malware to infiltrate new victims – this is because they use data from the infected computer to decrypt the embedded payload. This strategy can only be achieved if the attackers have hardware and software information about the victim prior to the attack, so this is likely to mean that BIOLOAD and Carbanak are used after the FIN7 hackers have used other reconnaissance tools.

Despite cybercriminals' efforts to dodge anti-virus products and debugging tools, you can rest assured that reputable anti-virus products will be able to protect your network from the BIOLOAD and similar threats.