In this article, we talk about a new malicious application called BOOSTWRITE that can avoid detection and drop malware on a targeted system. Researchers say that there are already quite a few versions of it, and it looks like the threat is still being updated. Also, the latest infection’s sample revealed that it might have been created by the infamous hackers who are known as FIN7. They have been known to cybersecurity specialists for a few years now as they keep coming back with more vicious threats that cause lots of damage to targeted victims. As you can imagine, such complex applications are usually used to attack systems of businesses and other organizations. However, if the cybercriminals attack, for example, a company that provides a banking application, its users could be affected by it. If you want to know what FIN7 might be after with BOOSTWRITE and how this malware works, we recommend reading the rest of this article.
BOOSTWRITE is a Trojan, but it is also called a malware dropper because its main task is to infect a targeted system with more malicious applications. Trojans enter computers without any permission, and they can do so by manipulating particular vulnerabilities. For example, if your browser is out of date and has any weaknesses known to hackers, you could receive such a threat after interacting with suspicious pop-up advertisements, links, or other unreliable content. In this case, it seems the malware manipulates a tool called the DLL search order of applications. It is supposed to load a legit .dll file named Dwrite.dll, but BOOSTWRITE makes it open a malicious file called DWriteCreateFactory
As mentioned earlier, BOOSTWRITE has ways to avoid detection, which means your traditional antivirus application might not notice it or warn you about it. Consequently, for those who wish to stay away from Trojans alike, specialists advise using reputable and robust antimalware tools. Also, it is vital to take care of outdated software and other vulnerabilities, such as weak passwords or unsecured RDP connections. Of course, it is essential that employees would know how to be safe while browsing the Internet, viewing email or other messages, installing new tools, and so on. Thus, educating employees on cybersecurity topics might be a good idea as well if a company wants to avoid getting its systems infected due to human error.
Furthermore, it was noticed that if BOOSTWRITE enters a system, it may drop two particular malicious applications. They are called CARBANAK and RDFSNIFFER. Both of them have backdoor qualities, but are a bit different as the second program (RDFSNIFFER) may allow hackers to manipulate the NCR Corporation’s “Aloha Command Center” client. This application is a remote monitoring and diagnostic tool that provides updates on the status of hardware and software for companies in the restaurant business. FIN7 is most likely interested in it because the application’s features may allow them to access payment card processing sectors. Of course, the researchers who discovered this behavior have already informed the company about possible attacks on their systems.
What’s more, the reason why BOOSTWRITE might drop the mentioned malicious applications without being detected is that it might have a digital certificate, which might seem legit. Consequently, traditional antivirus tools might not identify the threat as harmful. The worst part is that the Trojan is being updated, so it might still be difficult to detect its new samples even if it is known how the threat avoids being spotted. Hopefully, cybersecurity specialists will manage to stop such malicious applications faster soon enough, as for now, we recommend being cautious. Also, it is worth considering investing in a reputable antimalware tool that could guard a company’s systems, especially if they process or handle sensitive information.
Nick Carr, Josh Yoder, Kimberly Goody, Scott Runnels, Jeremy Kennelly, Jordan Nuce. October 10, 2019. Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. FireEye Inc.