BOOSTWRITE

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]

ID: S0415
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing

BOOSTWRITE has been signed by a valid CA.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload. [1]

Enterprise T1038 DLL Search Order Hijacking

BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.[1]

Enterprise T1129 Execution through Module Load

BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.[1]

Enterprise T1027 Obfuscated Files or Information

BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[1]

Groups That Use This Software

ID Name References
G0046 FIN7 [1]

References