1. Home
  2. Software
  3. BOOTRASH

BOOTRASH

BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[1][2][3]

ID: S0114
Type: MALWARE
Platforms: Windows
Contributors: Christopher Glyer, Mandiant, @cglyer
Version: 1.1
Created: 31 May 2017
Last Modified: 09 June 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1564 .005 Hide Artifacts: Hidden File System

BOOTRASH has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit.[2]
Enterprise T1542 .003 Pre-OS Boot: Bootkit

BOOTRASH is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.[1][2][3]

References

  1. Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.
  2. Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.
  1. Glyer, C.. (2017, June 22). Boot What?. Retrieved May 4, 2020.