• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Non Encryption of Linux Folders in Ryuk Ransomware
December 27, 2019
Rewterz Threat Alert – Malspam pushes IcedID (Bokbot) via Malicious Word Documents
December 27, 2019

Rewterz Threat Alert – FIN7 BOOSTWRITE’s Lost Twin exposes sensitive information

December 27, 2019

Severity

High

Analysis Summary

A couple of months ago, enSilo’s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7’s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor. 

Windows OS uses a common method to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as DLL search order hijacking (or binary planting).

The abused application in this case is FaceFodUninstaller.exe. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the “%WINDR%\System32\WinBioPlugIns” folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (“%WINDR%\System32”).

Figure 1: FaceFodUninstaller.exe import table

Impact

Exposure of sensitive information

Indicators of Compromise

MD5

  • 21e79ae1d7a5f020c171f412cbb92253
  • a8ba59eebd4858b8b448f13a436edf60
  • 4b32521cc8a8c050fbc55b3f9d05c84d
  • 27370ffd32942337596785ec737a4e46

SHA-256

  • 42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb
  • 7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7
  • 77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a
  • c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372

SHA1

  • ccd96a0b38d2edd14e290c597a7371e412429515
  • 02216bbd2633b23be575230bb1d0fe176ea88b4f
  • ff62e30eb38116b3273543f9ace038c4d0003f9c
  • a69d0ffed73198235c73f412a81dd2f4d12aa152

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.