BOOSTWRITE
BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]
ID: S0415
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.1
Created: 11 October 2019
Last Modified: 11 April 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[1] |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.[1] |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[1] |
| Enterprise | T1129 | Shared Modules |
BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.[1] |
|
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
BOOSTWRITE has been signed by a valid CA.[1] |