- Can't be uninstalled via Control Panel
BIOLOAD is an incredibly sneaky infection that the users of Windows operating systems need to be very cautious about. This malware appears to belong to the FIN7 hacking group, which might be best-known for the devious Carbanak malware. This malware is targeted at financial institutions, and if it manages to slither in, it can be used to steal money from online platforms and physical ATMs. The infection has been known to help hackers invade vulnerable systems and make them spew money out when thieves were close by. It is important to remember this infection when discussing BIOLOAD because this Trojan loads Carabank. Another infection that should be mentioned is BOOSTWRITE that is also known to drop Carbanak as well as Rdfsniffer malware. Clearly, FIN7 is adding more and more threats under its belt, and that might help hackers perform more sophisticated and unexpected attacks. Every single infection deriving from this group requires attention and removal, but in this report, we discuss how to delete BIOLOAD. If you are interested in learning more, continue reading.
Although BOOSTWRITE is the infection that BIOLOAD is most similar to, these threats definitely have some differences. It is most important to note that this malware exploits legitimate Microsoft Windows processes to run malware payloads. This is achieved with the help of DLL search order hijacking, which means that the threat loads a malicious DLL instead of a legitimate DLL. Both BOOSTWRITE and BIOLOAD can exploit a loader called winbio.dll that is located in the %WINDIR%\System32\WinBioPlugIns\ folder. Unfortunately, the Trojans can use a file named WinBio.dll – which is placed in the same folder – to hijack the DLL search order. Ultimately, the Windows OS is tricked into running the wrong file. Needless to say, the malicious file cannot be added to the folder by just anyone, and the attacker has to have admin privileges to do so. Therefore, other threats – which might have enabled attackers to gain admin privileges – are likely to exist on the operating system simultaneously. In that case, it is not enough to remove the Trojan, and the entire operating system has to be examined and cleared from malware.
BIOLOAD carries a malicious payload inside of WinBio.dll, and when it gains access to the targeted system, it decrypts the payload using a XOR decryptor that is unique for every infected computer. The WinBio.dll file exploits a legitimate file called FaceFodUninstaller.exe to run, and it appears to be the first time this executable has ever been used by malware. The .exe file is linked to a scheduled task, and so the attacker does not need to do much to start a chain reaction necessary for the attack. Once the .exe file is run, a log file is created in the %TEMP% directory and then the scheduled task is modified to ensure that malware can start running soon after the system is booted. BIOLOAD cleverly loads the real winbio.dll file when the WinBioGetEnrolledFactors is called. This function is responsible for collecting biometric enrollment information. If the Trojan is successful, it loads Carbanak, and the attackers behind this malware can proceed with other attack steps to steal money and further compromise the security. Undoubtedly, this is a very clever attack, and, unfortunately, only protected systems can withstand it.
Operating systems that are not protected reliably are easiest to invade by BIOLOAD, BOOSTWRITE, and other kinds of malicious infections. If this malware was detected, the victim is likely to be dealing with Carbanak and other extremely dangerous threats that require immediate attention. Time is very precious when such infections are detected, and so victims are advised to implement anti-malware software that could automatically remove BIOLOAD, Carbanak, and any additional threats that are likely to exist all at once. That being said, if one has time to research and delete threats one by one, we offer a manual removal guide that explains how to delete the Trojan. It is important to remember that a malicious .DLL file is placed next to a legitimate .DLL file that it impersonates. If you are not sure that you can delete the malicious file, you should not take on this task. In the future, always keep your system protected, and never skip any updates because unpatched vulnerabilities could be exploited by cybercriminals. Speaking of updates, remember that Windows 7 is no longer supported by Microsoft and, therefore, is vulnerable.