Starting with version 4.3, PT Sandbox can now detect bootkits. Positive Technologies studied this dangerous type of malware1 and found that bootkits are gaining in popularity among cybercriminals. For example, APT2 groups such as Careto, Winnti (APT41), and FIN1 are increasingly using them in targeted and mass attacks. Bootkits run before the operating system loads and help other malicious programs to infiltrate the system unnoticed. PT Sandbox features a special bootkitmon plugin that detects bootkits at all stages of their malicious activity and can discover both the older BIOS bootkits and the new UEFI bootkits like Mosaic Regressor, TrickBoot, and FinSpy.
"New firmware vulnerabilities are being discovered on a regular basis, opening new attack vectors for cybercriminals. This also spurs development of bootkits that allow attackers to successfully penetrate corporate IT infrastructure and stay hidden for a long time," comments Alexey Vishnyakov, Head of Malware Detection at Positive Technologies. "PT Sandbox detects bootkits not only at the initial infection stage, but also while the system boots after restart, when the bootkit unleashes its payload. A special analysis mode enables PT Sandbox users to monitor the boot process, catch bootkits in the act, and obtain detailed information about their behavior. Detecting bootkits at this stage lets you neutralize them before they can cause any damage."
PT Sandbox 4.3 is already available to users. Get a free trial with a pilot project here. To upgrade from a previous version, contact Positive Technologies partners or technical support.
- In the summer of 2022, Positive Technologies analyzed all 39 known bootkit families, including both proof-of-concept and real-world bootkits used by attackers from 2005 to 2021. The study revealed that half of all bootkits are used in targeted attacks, and that attackers are now using them in mass attacks as well, despite the high cost of bootkit development.
- Advanced persistent threat, a sophisticated targeted attack.