S0114 BOOTRASH
BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.123
| Item | Value |
|---|---|
| ID | S0114 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 09 June 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.005 | Hidden File System | BOOTRASH has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit.2 |
| enterprise | T1542 | Pre-OS Boot | - |
| enterprise | T1542.003 | Bootkit | BOOTRASH is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.123 |
References
-
Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. ↩↩
-
Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016. ↩↩↩
-
Glyer, C.. (2017, June 22). Boot What?. Retrieved May 4, 2020. ↩↩