FIN7 Hackers Create New RAT Malware [BOOSTWRITE]

BOOSTWRITE is a in-memory dropper created by the FIN7 advanced persistent threat group for use in their own campaigns.

It is unclear how BOOSTWRITE is delivered, although FIN7 are known to use advanced spear-phishing campaigns to deliver their tools. However, it is known that BOOSTWRITE will attempt to alter the search order for the Dwrite.dll Dynamic-link Library file to ensure it is launched at startup in place of the legitimate file.

This malware uses a DLL search order hijacking technique to loads its own malicious DLLs into the infected system’s memory which enables it to download the initialization vector (IV) and the decryption key needed to decrypt the embedded payloads.

Once loaded, BOOSTWRITE will scan its own image to retrieve a multi-XOR key in order to decode further data stored within the image. This data contains an IP address and port for a command and control server, which BOOSTWRITE will connect to in order to obtain a decryption key for two embedded ChaCha-encrypted payloads. These payloads will then be loaded straight into the affected system’s memory, bypassing running anti-virus and security services.

Further details –

Hash 18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5 on VirusTotal

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: