FireEye reported a couple of months ago that FIN7 had new payloads they were using in their attacks which they called BOOSTWRITE. enSilo is sharing information now that they have been blocking alternate malicious payloads running legitimate Microsoft Windows processes. It was found that in these payloads, the attacker was abusing the DLL search order to load their own malicious DLL. Some of the samples that were discovered matched those released by FireEye with the newest tools and techniques that were being seen from FIN7, leading researchers to call this newest tool BIOLOAD–a twin to the previously discovered BOOSTWRITE. For BIOLOAD to work, the attacker needs to have administrator or a SYSTEM account in the targeted machine to leverage the DLL search order. BOOSTWRITE is written in C++ and is targeting 32-bit Windows machines and was compiled in May 2019. BIOLOAD is also written in C++ but is targeting 64-bit Windows machines and was compiled more recently.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for