BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[1] |
|
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.[1] |
Enterprise | T1027 | Obfuscated Files or Information |
BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[1] |
|
Enterprise | T1129 | Shared Modules |
BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.[1] |
|
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
BOOSTWRITE has been signed by a valid CA.[1] |
ID | Name | References |
---|---|---|
G0046 | FIN7 |