RDFSNIFFER

RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.[1]

ID: S0416
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1106 Execution through API

RDFSNIFFER has used several Win32 API functions to interact with the victim machine.[1]

Enterprise T1107 File Deletion

RDFSNIFFER has the capability of deleting local files.[1]

Enterprise T1179 Hooking

RDFSNIFFER hooks several Win32 API functions to hijack elements of the remote system management user-interface.[1]

Groups That Use This Software

ID Name References
G0046 FIN7 [1]

References