BOOSTWRITE
BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]
ID: S0415
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.1
Created: 11 October 2019
Last Modified: 11 April 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1129 | 共享模块 |
BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.[1] |
|
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[1] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
BOOSTWRITE has been signed by a valid CA.[1] |