S0415 BOOSTWRITE
BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.1
| Item | Value |
|---|---|
| ID | S0415 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 11 October 2019 |
| Last Modified | 15 October 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.1 |
| enterprise | T1027 | Obfuscated Files or Information | BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.1 |
| enterprise | T1129 | Shared Modules | BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | BOOSTWRITE has been signed by a valid CA.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0046 | FIN7 | 1 |