Mebromi BIOS Rootkit
Mebromi is a trojan that contains several rootkits and is sold on underground markets. Discovered in 2011, it appears to be the first active malware able to infect the BIOS and Master Boot Record (MBR). It was recently discussed at Defcon 2018.
Mebromi infects systems via a dropper, but at the time of publication it is not known how this is distributed. The dropper checks if the system is running certain security software before loading a kernel mode driver to gain access to the BIOS. A legitimate BIOS flash tool is then used overwrites the BIOS.
Regardless of successful BIOS infection, the dropper will store a copy of the partition table before injecting malicious code into Windows components during start-up to infect the MBR. This results in additional malware being downloaded. Mebromi uses a kernel mode rootkit to hide the MBR infection from the user, and this infection is restored at every system start-up if the BIOS was successfully compromised.
Affected Platforms
- Microsoft Windows – All versions
Indicators of Compromise
SHA256 File Hashes
- 4ae3d901632868f6a14297245c69e6f57f9650cf384138fae5ccb4d006ba39ba
- 7936deb5e6a236e8dce91352d0617e3db3bbe0fbaeba5fb08bbeac7590338c4d
- 8802ad7f2d267b754afef8fd81fe8e5f0ecc13e7f69b82e89e980922d94291ba
- da68cee30d2cf328db04b12e9eef02cf76363a0fa5e4cfc29619f8f8d0d7345d
MD5 File Hashes
- b3106dbfb3ab114755af311883f33697
- bb5511a6586ba04335712e6c65e83671
URLs
- alchemistowl[.]org
- dh.3515[.]info
- neohapsis[.]com
- pmeglider[.]com
- ssi.gouv[.]fr
Filenames
- C:\my.sys
- %Temp%\cbrom.exe – legitimate BIOS flash tool
- hook.rom
- flash.dll
- bios.sys
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.