Rewterz Threat Alert – FIN7 BOOSTWRITE’s Lost Twin exposes sensitive information

Severity

High

Analysis Summary

A couple of months ago, enSilo’s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7’s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor. 

Windows OS uses a common method to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as DLL search order hijacking (or binary planting).

The abused application in this case is FaceFodUninstaller.exe. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the “%WINDR%\System32\WinBioPlugIns” folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (“%WINDR%\System32”).

Impact

Exposure of sensitive information

Indicators of Compromise

MD5

• 21e79ae1d7a5f020c171f412cbb92253
• a8ba59eebd4858b8b448f13a436edf60
• 4b32521cc8a8c050fbc55b3f9d05c84d
• 27370ffd32942337596785ec737a4e46

SHA-256

• 42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb
• 7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7
• 77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a
• c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372

SHA1

• ccd96a0b38d2edd14e290c597a7371e412429515
• 02216bbd2633b23be575230bb1d0fe176ea88b4f
• ff62e30eb38116b3273543f9ace038c4d0003f9c
• a69d0ffed73198235c73f412a81dd2f4d12aa152

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.