FireEye reported a couple of months ago that FIN7 had new payloads they were using in their attacks which they called BOOSTWRITE. enSilo is sharing information now that they have been blocking alternate malicious payloads running legitimate Microsoft Windows processes. It was found that in these payloads, the attacker was abusing the DLL search order to load their own malicious DLL. Some of the samples that were discovered matched those released by FireEye with the newest tools and techniques that were being seen from FIN7, leading researchers to call this newest tool BIOLOAD–a twin to the previously discovered BOOSTWRITE. For BIOLOAD to work, the attacker needs to have administrator or a SYSTEM account in the targeted machine to leverage the DLL search order. BOOSTWRITE is written in C++ and is targeting 32-bit Windows machines and was compiled in May 2019. BIOLOAD is also written in C++ but is targeting 64-bit Windows machines and was compiled more recently.
Analyst Notes
: BIOLOAD and BOOSTWRITE use common but stealthy techniques to infect machines to try to stay hidden. Defenders should consider detecting DLL files stored in the wrong directory, or system DLLs with missing or incorrect digital signatures to find attackers using DLL search-order hijacking. Utilizing security measures such as Binary Defense’s managed endpoint detection and response software would help identify and mitigate attacks like these, by finding the attacker in the network and quarantining the attack.
IOC’s and the original article can be found here: https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html
