Malware "Nemesis (Nemesis)" that hijacks PC startup process and continues to infect with stealth permanently

ByBrian Klug

When the security research firm FireEye was investigating a company that handled the financial industry, it became clear that the hacker corps "FIN 1" to attack using malware was found. FIN 1 is a hacker corps that is based in Russia and extracts information on banks and credit cardsNemesis(Nemesis) "It seems that they are attacking companies that run financial services industry using malware.

Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record «Threat Research | FireEye Inc
https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

"Nemesis" malware hijacks PC's boot process to gain stealth, persistence | Ars Technica
http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/

The terrible thing about the malware nemesis used by FIN 1 is not only the ability to transfer files, key input history, screen shot shot, but also code that loads and runs the OS is storedVolume Boot RecordIt has the ability to illegally modify it. By modifying the volume boot record, Nemesis can complete the infection before the OS starts, it is difficult for the user to detect it, and it is difficult to delete it with normal antivirus software I will. Furthermore, since Nemesis exists in the lower hierarchy of the hard disk, it is not deleted even when the OS is initialized or reinstalled, it is extremely malignant malware.


Nemesis's attack procedure is to boot off the OS, use an installer called BOOTRASH to spread malicious components to multiple systems, take over the BIOS, connect to the vector table, block queries in memory, BOOTRASH volume / Continue booting the OS in the boot record. Also, while the OS is loaded, by instructing to access the loader's memory and change the CPU from the real mode to the protect mode, BOOTRASH changes every time the CPU mode is changedIDT(Interrupt Descriptor Table) to be able to connect.

A security researcher at FireEye says, "Malware implementing the boot kit like Nemesis is a big problem to infect and attack on parts independent of the Windows OS.It discovers Nemesis and completely It is necessary to check the hard disk with a special tool in order to remove it. "When a user without special knowledge gets infected, it is more likely that even infection is not noticed.

ByJeff Kubina

Nemesis's code is stored in the virtual file system or registry and it is difficult to detect with Normal Antivirus,GUID partition tableIt is said that it will not be installed on PC using. Nemesis enters a new category as a virus, and concerns are rising that it will become a major threat in the future in the financial services industry.