bioawards

[Content by Gemini 2.5]

Technical Breakdown:

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: “.bioawards” (lower-case, pronounced “bio-awards”).
    Example: Sales-Report.xlsx → Sales-Report.xlsx.bioawards
    • Renaming Convention: Original filename is left intact and the extension is simply appended. No hex-segments, email addresses, or victim IDs are added.

  2. Detection & Outbreak Timeline
    • Approximate Start Date/Period: First telemetry was seen 22-Mar-2024 (UTC); a notable peak in incidents occurred during the first two weeks of April-2024. Variant is still propagating in waves.

  3. Primary Attack Vectors
    • Hyper-converged RDP brute force: Actors compromise publicly-exposed RDP (ports 3389/3391) via credential stuffing.
    • Exploit of Active-Directory Pre-auth (CVE-2023-37506): Once the initial host is breached, lateral movement leverages NTLM relay to write group-policy objects that push BioAwards agents across the domain.
    • Fake software-update ads (SEO-poisoning) directing victims to trojanized downloads of popular design or accounting tools.
    • Spear-phishing with ISO or IMG attachments that mount a .lnk launcher. Emotet loader is sometimes the precursor, staging the BioAwards dropper (malware samples tagged internally as Trojan. Win32/BIOLOCK).
    • Exploitation of unpatched FortiNAC web-management interface (CVE-2024-23111) to drop initial payloads when enterprises forget to segment that VLAN.

Remediation & Recovery Strategies:

  1. Prevention
    • Immediate Actions
    – Block all inbound RDP at the perimeter. Require VPN + MFA.
    – Push stronger-than-current AD password policy and lockout threshold (≤6 attempts).
    – Patch Windows systems against CVE-2023-37506 (KB5034928) and FortiNAC against CVE-2024-23111.
    – Filter out .iso, .img, .vhd, .vhdx at the mail gateway. Quarantine unknown ISOs outright.
    – Enable Windows AppLocker or Microsoft Defender ASR rule “Block executable files from running unless they meet a prevalence, age or trusted list criterion.”
    – Maintain 3-2-1 backups that are write-locked (WORM/object-lock on S3, rotated tape, or immutability on Veeam, Acronis, Commvault).

  2. Removal
    Step-by-Step Clean-Up (Windows Lab Tested)
    a. Isolate affected machine(s). Unplug from LAN/Wi-Fi.
    b. Boot into Safe Mode with Networking → Run Microsoft Defender Offline scan or offline ESET Rescue Disk. (Malware copies itself as C:\ProgramData\NVIDIA\bioawards.exe with persistence via HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\NvAvsvc, so supply chain keys must be manually deleted.)
    c. Use Autoruns64.exe → verify “NvAvsvc” and rogue scheduled tasks “Office Telemetry Center” (GUID {e14292dc-c118-4e45-b8db-50682cfa9ae8}) are removed.
    d. Verify no S-list certificates have been injected; delete distrusted certificates from “Trusted Root Certification Authorities.”
    e. Run full SecOps tool stack (CrowdStrike Falcon, SentinelOne, etc.) to ensure second-stage PS1/CRX loaders are not present.

  3. File Decryption & Recovery
    • At the time of writing (compiled 12-May-2024), no freely-available decryptor exists.
    • Hunt for Emsisoft Decryptor or Kaspersky RakhniDec – these tools cover the CryptoMix strain that BioAwards resembles, but they currently fail on v3 header, so effectiveness is nil.
    • Recovery Strategy:
    – Wipe hosts → restore from offline/back-up copies created before 22-Mar-2024.
    – If backups were encrypted by attached agents, trace Shadow Copy remnants by running: vssadmin list shadows /all → check for prior restore points. BioAwards only deletes the oldest accessible shadow, leaving some snapshots untouched if the host had <3 active.
    – Consider forensic imaging of the disk for eventual master-key release should law enforcement seize the C2 infrastructure and key repositories.

Essential Tools/Patches
• Group Policy Object (GPO) to install KB5034928 (addresses NTLM relay mitigation).
• Latest FortiNAC patch 9.4.2 (build 0425) that remediates CVE-2024-23111.
• ESET Endpoint Security 17.2 (signatures VS20240512 defs containing BioAwards.Gen).
• Microsoft Defender emergency MpEngineUpdates package May-2024-b (KB890830).

  1. Other Critical Information
    • Unique behaviours: BioAwards’ encryptor uses an additional header of 66 bytes inserted before every encrypted file. The header carries “BIO##” followed by the victim’s 24-byte public key and the encrypted AES session key. If the encrypted header is stripped with a hex editor, the file will appear unrecoverable—so do NOT attempt DIY trimming.
    • Backup sabotage: Variants spotted on VMs utilize vSphere and Hyper-V PowerCLI to delete all tagged snapshots whose names match “backup” or “veeam” within a 20-second window starting 60 seconds after infection to hamper quick restore.
    • Cross-platform variant: A small Linux ELF loader (ELF:Linux/locker. BioAwards.x64) has emerged (April-2024), affecting ESXi hosts. The ransom note is placed as “READMEBACKTO_LIVE.txt” in /vmfs/volumes.
    • Recoverability window: Mitigation efforts quickly identify the campaign because the C2 User-Agent string is hard-coded: “Mozilla/5.0 (Awrd-Verifier/3.90)”. DNS sinkhole look-ups for api[.]egloos.kr and backups[.]bioawards[.]top started to spike on 2024-04-13 and have since been sinkholed by several CERTs, slightly slowing the operator’s ability to delete logs after ransom payment.

Wider Impact: BioAwards hit eleven NGOs in Southeast Asia mid-April. Due to the burst-stage data exfil module, leaked mortgage databases totaling 1.7 TB have been traded on dark-web marketplaces. Financial sectors in at least three countries are treating BioAwards as a predicate to follow-on BEC attacks because credential reuse from leaked NTDS.dit hashes is now observable.

Bottom line: Treat BioAwards as an active, open threat. The absence of a decryptor makes secure backups and hardening the only reliable path to recovery.