A couple of months ago, enSilo’s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7’s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor.
Windows OS uses a common method to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as DLL search order hijacking (or binary planting).
The abused application in this case is FaceFodUninstaller.exe. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the “%WINDR%\System32\WinBioPlugIns” folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (“%WINDR%\System32”).
Exposure of sensitive information