Silent Malware Dropper BOOSTWRITE Manages to Evade Antivirus Detection

BOOSTWRITE is a clandestine Trojan that can slither into an operating system and then silently drop other infections that cybercriminals might have a harder time dropping silently right away. It appears that this threat is employed by the FIN7 group, and so it is most likely to drop malware built by it. That being said, cybercriminals can build and upgrade infections, making the dropper pretty unpredictable. At the time of research, it was found dropping CARBANAK and RDFSNIFFER malware, but by the time you are reading this report, the situation might have changed. Without a doubt, the operating system needs to be protected against anything that could be associated with this Trojan, and, unfortunately, that is easier said than done. If a system has a single vulnerability, that could be enough for cybercriminals to use it for malware execution. Needless to say, operating systems that are upgraded, updated, and protected are at better odds of evading Trojans or other kinds of malware. Before you take care of that, you want to remove BOOSTWRITE and any additional malware.

The clandestine BOOSTWRITE is an in-memory-only dropper. The attackers behind it exploit the DLL search order of those applications that can load Dwrite.dll by Microsoft DirectX Typography Services. If the file is loaded successfully, a connection is made to a remote server, and that makes it possible for the Trojan to obtain a decryption key and an initialization vector. These are necessary for the decryption of two embedded payload DLLs. The payloads are loaded into memory. As the term “dropper” suggests, BOOSTWRITE is all about executing new malware payloads, and that appears to be its only function. To keep this clandestine Trojan undetected by malware, the cybercriminals behind it have been observed to use the signatures of a valid certificate authority. Although that is not a fail-proof method of concealment, this certainly can help cybercriminals keep the threat undetected in many systems. If it were detected right away, it would be deleted before additional malware was dropped and executed, and that would prevent successful attacks against the targets of BOOSTWRITE.

CARBANAK is one of the malicious payloads that have been found to be dropped by BOOSTWRITE. This is a banking Trojan, and it was created to steal money from banks and private customers. Amongst the victims of this infection, you can find banks in the United States, Russia, Ukraine, and Germany. Besides altering the databases of banks, CARBANAK was also used to hijack the ATM machines to make them dispense money at random. According to one report, back in 2015, one company lost $7.3 million due to ATM fraud linked to this banking Trojan. In total, the infection is believed to have helped cybercriminals steal $1 billion. RDFSNIFFER is the second malware payload that has been linked to BOOSTWRITE. This is a RAT (remote access tool), and it was found to be used to mess with the Aloha Command Center client that belongs to the NCR Corporation. This tool is used to manage systems that have payment card processing sectors running the Command Center Agent. RDFSNIFFER also has a backdoor functionality, and it can be used to inject commands as well as download and execute files.

Undoubtedly, BOOSTWRITE is a great instrument in the hands of cybercriminals, and while it is mainly used by the cybercriminals within the FIN7 group, it is possible that other groups could exploit it as well. The arsenal of malicious infections that might be dropped by the Trojan could be expansive also, and it is impossible to know what kinds of threats could be dropped by it in the future. Without a doubt, if a system is infected by BOOSTWRITE, the dropper must be deleted immediately; otherwise, a flood of additional threats could soon emerge. In general, if a single threat is detected, it always is a good idea to inspect the operating system just to make sure that no other infections exist. If a known dropper or malware downloader is discovered, additional threats are more likely to exist. Unfortunately, this in-memory-only malware can use valid certificate authorities and other methods to avoid detection and removal, and so it is important to employ modern and effective malware detection and removal protocols.

References

Burgess, M. April 4, 2018. Inside the takedown of the alleged €1bn cyber bank robber. WIRED.
Carr, N. October 10, 2019. Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. FIREEYE.
Mayer, D. March 26, 2018. A Cyber Gang Stole $1 Billion by Hacking Banks and ATMs. Now Police Say They’ve Caught the Mastermind. FORTUNE.