"name":"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking\"",
"relationship_type":""
},
{
"colour":"#0088cc",
"local":"0",
"name":"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"DLL Search Order Hijacking\"",
"relationship_type":""
},
{
"colour":"#00223b",
"local":"0",
"name":"osint:source-type=\"blog-post\"",
"relationship_type":""
}
],
"Attribute":[
{
"category":"External analysis",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1577727017",
"to_ids":false,
"type":"text",
"uuid":"5e0a3429-ddc8-4dc9-a551-41f202de0b81",
"value":"By Omri Misgav | December 26, 2019\r\nAcouple of months ago, enSilo\u00e2\u20ac\u2122s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor."
},
{
"category":"Payload delivery",
"comment":"WinBio.dll (scrubbed key and payload)",
"value":"[<img width=\"200\" height=\"23\" src=\":/735a23f2ea5d4a2ca314bbb10957e1fd\"/>](https://www.fortinet.com)\r\n\r\n[Blog](https://www.fortinet.com/blog)\r\n\r\n* [Business & Technology](https://www.fortinet.com/blog/business-and-technology.html)\r\n* [Threat Research](https://www.fortinet.com/blog/threat-research.html)\r\n* [Industry Trends](https://www.fortinet.com/blog/industry-trends.html)\r\n* [Partners](https://www.fortinet.com/blog/partners.html)\r\n\r\n<img width=\"1908\" height=\"400\" src=\":/bce5663d73cd44318b21c1471c4186e3\"/>\r\n\r\nThreat Research\r\n\r\n# Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin\r\n\r\nBy [Omri Misgav](https://www.fortinet.com/blog/search.html?author=Omri+Misgav) | December 26, 2019\r\n\r\nA couple of months ago, [enSilo\u00e2\u20ac\u2122s endpoint protection platform](https://www.fortinet.com/blog/business-and-technology/fortinet-acquires-endpoint-security-innovator-ensilo-.html) blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor.\r\n\r\n## The Abused Target\r\n\r\nWindows OS uses a [common method](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order) to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as [DLL search order hijacking (or binary planting)](https://attack.mitre.org/techniques/T1038).\r\n\r\nThe abused application in this case is _FaceFodUninstaller.exe_. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the \u00e2\u20ac\u0153_%WINDR%\\\\System32\\\\WinBioPlugIns_\u00e2\u20ac\u009d folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (\u00e2\u20ac\u0153_%WINDR%\\\\System32_\u00e2\u20ac\u009d).\r\n\r\n<img width=\"924\" height=\"353\" src=\":/4ec1bd4104104b4484e66764c4c3e752\"/> Figure 1: FaceFodUninstaller.exe import table\r\n\r\nWhat makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named _FODCleanupTask_, thereby minimizing the footprint on the machine and reducing the chances of detection even further. This demonstrates the group\u00e2\u20ac\u2122s ongoing technological research efforts.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/> Figure 2: The built-in task view in Windows Task Scheduler\r\n\r\n## BIOLOAD \r\n\r\nThe loader file name is _WinBio.dll_ (note the uppercase characters) and is placed by the attacker alongside the executable in the same folder (\u00e2\u20ac\u0153_WinBioPlugIns_\"), thus leveraging the default DLL search order. Because the file path is under _%WINDIR%_, it means that in order to plant it the attacker needed to have elevated privileges on the victim\u00e2\u20ac\u2122s machine such as administrator or a SYSTEM account.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/>Figure3:WinBioPlugInsfolderofaninfectedmachine\r\n\r\nLikeBOOSTWRITE,thisloaderwasalsodevelopedinC++.Itexportsonlyasinglefunctionwhichistheone_FaceFodUninstaller.exe_imports.\r\n\r\nThesamplestargeta64-bitOSandwerecompiledinMarchandJulyof2019.BOOSTWRITEtargets32-bitmachinesandwascompiled(andsigned)inMay2019.Accordingtopreviousreportsonthegroup,theydonotfalsifycompilationtimestampsofthebinaries.\r\n\r\nWhentheDLLisstarteditchecksthenumberofcommandlineargumentsoftheprocesstodecidehowtoact.Whentheexecutableisstartedbythetaskscheduleritdoesn\u00e2\u20ac\u2122thaveco
