BIOLOAD

What is BIOLOAD?

Can you name an infection that impersonates a legitimate Microsoft .DLL file to carry out malicious actions? BIOLOAD is an infection that is capable of doing just that. This malware sneakily plants its own binary along with an authentic binary, and then it uses it to drop malware. More specifically, we are talking about Carabank, a dangerous banking Trojan that has, in the past, cleaned out money from online banking systems and even ATMs. Undoubtedly, the sneaky infection we are talking about in this report was, most likely, created to target banks and very specific systems. Could regular Windows users be affected? Perhaps, the attackers employing it could change tactics. Ultimately, when it comes to malware and cybercriminals, unpredictability is the only predictable thing, and so we would not reject the possibility that pretty much anyone could face the threat. Obviously, regardless of whether you are a banked or a stay-at-home mom, you need to remove BIOLOAD. Continue reading for removal tips.

How does BIOLOAD work?

BIOLOAD belongs to FIN7, a hacking group that has employed Trojans, RATs, backdoors, and other types of malware to service their attacks. This hacking group is also associated with BOOSTWRITE, an infection that has many similarities with the Trojan in discussion. Both of these threats employ binary planting to abuse legitimate Microsoft Windows processes and perform attacks using them. Both infections, however, exploit different binaries. BIOLOAD relies on “winbio.dll,” which is a Windows Biometrics Client API file created by Microsoft. It is an essential component, and it must not be deleted. Therefore, if you are inexperienced, but you are trying to remove the Trojan manually, you have to be extremely cautious so as not to remove the wrong file. The .DLL file used by the Trojan is called “WinBio.dll,” and it is located in the exact same spot as the fake .DLL file, which is the %WINDIR%\System32\WinBioPlugIns\ folder. The file can only be placed in this folder if the attacker has administrative privileges. Inside the file, an encrypted payload can be found, and the Trojan uses a unique XOR key to decrypt it.

Once the payload is decrypted, BIOLOAD should load Carbanak, a dangerous banking Trojan capable of messing with systems performing in financial institutions. Also known as Anunak, this Trojan can log keystrokes, capture screenshots, monitor HTTP traffic, download .exe files, wipe the MBR (master boot record), reboot the operating system, delete files, update and remove backdoors, and perform other actions that could help cybercriminals gather information, hijack accounts, destroy systems, and perform theft. Needless to say, this malware requires immediate removal, and victims might first focus on this threat instead of BIOLOAD, BOOSTWRITE, or any other infection capable of dropping it onto the infected machines. It goes without saying that all infections require immediate removal because they are all dangerous. Regardless of which one of these threats is found first, it is crucial to inspect the operating system to figure out which other infections might be active. We advise eliminating them all at once using legitimate anti-malware software.

How to delete BIOLOAD

Removing BIOLOAD and the threats that are associated with this Trojan manually is not something that our Anti-Spyware-101.com research team recommends doing. All threats are extremely dangerous, and every single one of them has to be handled right away. Researching threats and then deleting all of their malware components takes time. You can follow the guide below to learn how to eliminate BIOLOAD, but depending on what other threats exist, you will have to seek out additional removal guides, and following them might be much more difficult. Without a doubt, manual removal is the difficult option. If you do not want to risk your virtual security further, or if you simply do not have the necessary experience, we recommend installing anti-malware software. It will automatically inspect the system, identify threats, and also conduct removal. Unfortunately, a lot of damage control might have to take place afterward, but successful removal of active threats is a step in the right direction.

Removal Instructions

1. Launch Windows Explorer by tapping Win+E keys.
2. Enter %WINDIR%\System32\WinBioPlugIns\ into the field at the top.
3. Delete the file named WinBio.dll if you can identify it as malware.
4. Exit Windows Explorer and then Empty Recycle Bin.
5. Install a legitimate malware scanner and perform a full system scan. Download Removal Tool100% FREE spyware scan and
   tested removal of BIOLOAD*