BOOSTWRITE is a in-memory dropper created by the FIN7 advanced persistent threat group for use in their own campaigns.
It is unclear how BOOSTWRITE is delivered, although FIN7 are known to use advanced spear-phishing campaigns to deliver their tools. However, it is known that BOOSTWRITE will attempt to alter the search order for the Dwrite.dll Dynamic-link Library file to ensure it is launched at startup in place of the legitimate file.
This malware uses a DLL search order hijacking technique to loads its own malicious DLLs into the infected system’s memory which enables it to download the initialization vector (IV) and the decryption key needed to decrypt the embedded payloads.
Once loaded, BOOSTWRITE will scan its own image to retrieve a multi-XOR key in order to decode further data stored within the image. This data contains an IP address and port for a command and control server, which BOOSTWRITE will connect to in order to obtain a decryption key for two embedded ChaCha-encrypted payloads. These payloads will then be loaded straight into the affected system’s memory, bypassing running anti-virus and security services.
UK based technology professional, with an interest in computer security and telecoms.