Security Affairs
Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Nemesis, a bootkit used to steal payment card data

Nemesis is a new strain of malware, very hard to detect and remove, designed to steal payment card data and implementing bootkit functionalities. Experts at FireEye have discovered a new strain of malware designed to steal payment card data. Nothing new, you are probably saying, but this malware dubbed Nemesis is very difficult to detect […]

Prilex Pos malware

Stolen credit card data are sold on underground markets, along with the malware and tools the thieves need to steal the data themselves.

Nemesis is a new strain of malware, very hard to detect and remove, designed to steal payment card data and implementing bootkit functionalities.

Experts at FireEye have discovered a new strain of malware designed to steal payment card data. Nothing new, you are probably saying, but this malware dubbed Nemesis is very difficult to detect and remove.

FireEye has identified the threat actor behind the new Nemesis malware, it is the hacking crews FIN1, which is suspected of being a group of criminals from Russia.

The FIN1 criminal gang has been known to target financial institutions worldwide, it used the Nemesis malicious code to compromise an unknown organization that processes financial transactions.

Nemesis malware

Organizations in the retail industry who manage payment card data are privileged targets of cyber criminal gangs, TargetHome DepotNeiman Marcus are just a names of illustrious victims of the cyber crime.

Nemesis belong to the family of malware identified as bootkit, BIOS bootkits was mentioned when Snowden disclosed the catalog of surveillance tools used by the NSA ANT division, these malware are able to compromise the BIOS of the victim’s machine ensuring persistence and implementing sophisticated evasion techniques.

“In September, Mandiant Consulting identified a financially motivated threat group targeting payment card data using sophisticated malware that executes before the operating system boots. This rarely seen technique, referred to as a ‘bootkit’, infects lower-level system components making it very difficult to identify and detect.” states FireEye in a blog post“The malware’s installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware.”

Even when the operating system is reinstalled, the bootkit can remain in place.

“Malware with bootkit functionality can be installed and executed almost completely independent of the Windows operating system,” the post continues.

In early 2015, the FIN1 threat actors added to its arsenal a utility that modifies the legitimate system Volume Boot Record (VBR) and hijacks the system boot process, in this way the criminals ensure the loading of the Nemesis malware before the Windows operating system. The utility was called by the experts at FireEye BOOTRASH, the only way to detect it is to use a raw disk scanner.

“Similarly, re-installing the operating system after a compromise is no longer sufficient. System administrators should perform a complete physical wipe of any systems compromised with a bootkit and then reload the operating system.”

The experts at FireEye Mandiant have found the bootkit by using a tool called Mandiant Intelligent Response (MIR) that allows for raw disk access and scan.

Pierluigi Paganini

(Security Affairs – Nemesis malware, cybercrime)