BOOSTWRITE

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]

ID: S0415
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 11 October 2019
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL

BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[1]

Enterprise T1129 Shared Modules

BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

BOOSTWRITE has been signed by a valid CA.[1]

Groups That Use This Software

ID Name References
G0046 FIN7

[1]

References