BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]

ID: S0415
Platforms: Windows
Version: 1.0
Created: 11 October 2019
Last Modified: 15 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.[1]

Enterprise T1027 Obfuscated Files or Information

BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[1]

Enterprise T1129 Shared Modules

BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

BOOSTWRITE has been signed by a valid CA.[1]

Groups That Use This Software

ID Name References
G0046 FIN7