2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5e0a3406-952c-49c8-b084-414002de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:42:20.000Z" ,
"modified" : "2019-12-30T17:42:20.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5e0a3406-952c-49c8-b084-414002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:42:20.000Z" ,
"modified" : "2019-12-30T17:42:20.000Z" ,
"name" : "OSINT - Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin" ,
"published" : "2019-12-30T17:42:37Z" ,
"object_refs" : [
"x-misp-attribute--5e0a3429-ddc8-4dc9-a551-41f202de0b81" ,
"indicator--5e0a3446-7584-4d05-b1a9-4cf402de0b81" ,
"indicator--5e0a3446-fee0-4809-98ce-466c02de0b81" ,
"indicator--5e0a345a-ec5c-45ac-ad17-454e02de0b81" ,
"indicator--5e0a345a-9818-4a2d-bb1b-4ec602de0b81" ,
"indicator--b822127f-e5bd-4e97-b089-6dbe41b97232" ,
"x-misp-object--37d2a0b1-f566-4c93-a735-5ff6d1fd5175" ,
"indicator--b62fec55-6a9d-42e3-a184-d3eac052641d" ,
"x-misp-object--b5887468-baeb-4798-86ee-6fe35ca86c13" ,
"indicator--a6f1046f-03a0-46b9-b93c-f12a9754f6e3" ,
"x-misp-object--b679fec5-fade-4d7b-bec9-d0ef2d90729b" ,
"indicator--d019110d-d966-484e-968c-95b77bd1591c" ,
"x-misp-object--55a52c5d-d32f-4845-a2cf-c0a9ef422562" ,
"x-misp-object--5e0a36f6-21fc-4a2d-8f68-4cf502de0b81" ,
2023-06-24 09:36:52 +00:00
"relationship--048cc1be-77c1-4ac4-91ad-9a2515f08856" ,
"relationship--cfab9ec2-ea37-43cc-b11c-f0f8c29e0785" ,
"relationship--30fd1484-d675-4c48-b0bd-88a954b4a436" ,
"relationship--fbd254ba-510c-4daa-b3d4-f75d612c8c3b"
2023-06-14 17:31:25 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7\"" ,
"misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 (G0046) uses Carbanak (S0030)\"" ,
"misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 uses Carbanak\"" ,
"misp-galaxy:mitre-intrusion-set=\"FIN7\"" ,
"misp-galaxy:threat-actor=\"Anunak\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"DLL Search Order Hijacking\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5e0a3429-ddc8-4dc9-a551-41f202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:30:17.000Z" ,
"modified" : "2019-12-30T17:30:17.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "By Omri Misgav | December 26, 2019\r\nAcouple of months ago, enSilo\u00e2\u20ac\u2122s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5e0a3446-7584-4d05-b1a9-4cf402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:30:46.000Z" ,
"modified" : "2019-12-30T17:30:46.000Z" ,
"description" : "WinBio.dll (scrubbed key and payload)" ,
"pattern" : "[file:hashes.SHA256 = '7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-12-30T17:30:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5e0a3446-fee0-4809-98ce-466c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:30:46.000Z" ,
"modified" : "2019-12-30T17:30:46.000Z" ,
"description" : "WinBio.dll (scrubbed key and payload)" ,
"pattern" : "[file:hashes.SHA256 = 'c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-12-30T17:30:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5e0a345a-ec5c-45ac-ad17-454e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:06.000Z" ,
"modified" : "2019-12-30T17:31:06.000Z" ,
"description" : "Carbanak" ,
"pattern" : "[file:hashes.SHA256 = '77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-12-30T17:31:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5e0a345a-9818-4a2d-bb1b-4ec602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:06.000Z" ,
"modified" : "2019-12-30T17:31:06.000Z" ,
"description" : "Carbanak" ,
"pattern" : "[file:hashes.SHA256 = '42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-12-30T17:31:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b822127f-e5bd-4e97-b089-6dbe41b97232" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:24.000Z" ,
"modified" : "2019-12-30T17:31:24.000Z" ,
"pattern" : "[file:hashes.MD5 = 'a8ba59eebd4858b8b448f13a436edf60' AND file:hashes.SHA1 = '02216bbd2633b23be575230bb1d0fe176ea88b4f' AND file:hashes.SHA256 = '7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-12-30T17:31:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--37d2a0b1-f566-4c93-a735-5ff6d1fd5175" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:25.000Z" ,
"modified" : "2019-12-30T17:31:25.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-12-30T17:16:31" ,
"category" : "Other" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"uuid" : "f42add19-f6a8-4c3b-b014-dfdfb64dd795"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7/analysis/1577726191/" ,
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"uuid" : "88c3a2a3-dfe5-4e53-acc2-d7951b7941fc"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "32/69" ,
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"uuid" : "cce0a6b8-ddf9-4f29-8659-d32284c8631d"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b62fec55-6a9d-42e3-a184-d3eac052641d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:25.000Z" ,
"modified" : "2019-12-30T17:31:25.000Z" ,
"pattern" : "[file:hashes.MD5 = '4b32521cc8a8c050fbc55b3f9d05c84d' AND file:hashes.SHA1 = 'ff62e30eb38116b3273543f9ace038c4d0003f9c' AND file:hashes.SHA256 = '77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-12-30T17:31:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--b5887468-baeb-4798-86ee-6fe35ca86c13" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:25.000Z" ,
"modified" : "2019-12-30T17:31:25.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-12-29T14:21:55" ,
"category" : "Other" ,
"comment" : "Carbanak" ,
"uuid" : "a0a84233-91c2-465f-92a8-77f7a8e1f692"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a/analysis/1577629315/" ,
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"uuid" : "58d5bfbd-1f36-4f20-8369-053f5e3e6369"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "42/71" ,
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"uuid" : "621c4ded-d7b6-4fb9-b7bf-143001f7c38d"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a6f1046f-03a0-46b9-b93c-f12a9754f6e3" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:25.000Z" ,
"modified" : "2019-12-30T17:31:25.000Z" ,
"pattern" : "[file:hashes.MD5 = '27370ffd32942337596785ec737a4e46' AND file:hashes.SHA1 = 'a69d0ffed73198235c73f412a81dd2f4d12aa152' AND file:hashes.SHA256 = 'c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-12-30T17:31:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--b679fec5-fade-4d7b-bec9-d0ef2d90729b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:26.000Z" ,
"modified" : "2019-12-30T17:31:26.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-12-30T14:02:20" ,
"category" : "Other" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"uuid" : "d4326992-412d-429d-864e-48622c15cc55"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372/analysis/1577714540/" ,
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"uuid" : "0ffa159a-bd05-46ec-a150-dbb4c680a609"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "33/70" ,
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"uuid" : "1a14a7ef-9ea8-4795-8134-f6b0abfcaa1b"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d019110d-d966-484e-968c-95b77bd1591c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:26.000Z" ,
"modified" : "2019-12-30T17:31:26.000Z" ,
"pattern" : "[file:hashes.MD5 = '21e79ae1d7a5f020c171f412cbb92253' AND file:hashes.SHA1 = 'ccd96a0b38d2edd14e290c597a7371e412429515' AND file:hashes.SHA256 = '42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-12-30T17:31:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--55a52c5d-d32f-4845-a2cf-c0a9ef422562" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:31:26.000Z" ,
"modified" : "2019-12-30T17:31:26.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-12-28T17:45:44" ,
"category" : "Other" ,
"comment" : "Carbanak" ,
"uuid" : "f3e3ab49-f834-4a6b-859d-2f23826955f5"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb/analysis/1577555144/" ,
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"uuid" : "02f98cbd-4f5e-4749-a026-dd48e2fa8811"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "39/70" ,
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"uuid" : "d35cdcb9-e338-463d-8740-67d4acf655a9"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5e0a36f6-21fc-4a2d-8f68-4cf502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-12-30T17:42:14.000Z" ,
"modified" : "2019-12-30T17:42:14.000Z" ,
"labels" : [
"misp:name=\"annotation\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "format" ,
"value" : "markdown" ,
"category" : "Other" ,
"uuid" : "5e0a36f6-8fc8-4f98-890c-481a02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Other" ,
"category" : "Other" ,
"uuid" : "5e0a36fc-e758-4d4b-9730-4c2e02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "text" ,
"value" : "[<img width=\"200\" height=\"23\" src=\":/735a23f2ea5d4a2ca314bbb10957e1fd\"/>](https://www.fortinet.com)\r\n\r\n[Blog](https://www.fortinet.com/blog)\r\n\r\n* [Business & Technology](https://www.fortinet.com/blog/business-and-technology.html)\r\n* [Threat Research](https://www.fortinet.com/blog/threat-research.html)\r\n* [Industry Trends](https://www.fortinet.com/blog/industry-trends.html)\r\n* [Partners](https://www.fortinet.com/blog/partners.html)\r\n\r\n<img width=\"1908\" height=\"400\" src=\":/bce5663d73cd44318b21c1471c4186e3\"/>\r\n\r\nThreat Research\r\n\r\n# Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin\r\n\r\nBy [Omri Misgav](https://www.fortinet.com/blog/search.html?author=Omri+Misgav) | December 26, 2019\r\n\r\nA couple of months ago, [enSilo\u00e2\u20ac\u2122s endpoint protection platform](https://www.fortinet.com/blog/business-and-technology/fortinet-acquires-endpoint-security-innovator-ensilo-.html) blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor.\r\n\r\n## The Abused Target\r\n\r\nWindows OS uses a [common method](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order) to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as [DLL search order hijacking (or binary planting)](https://attack.mitre.org/techniques/T1038).\r\n\r\nThe abused application in this case is _FaceFodUninstaller.exe_. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the \u00e2\u20ac\u0153_%WINDR%\\\\System32\\\\WinBioPlugIns_\u00e2\u20ac\u009d folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (\u00e2\u20ac\u0153_%WINDR%\\\\System32_\u00e2\u20ac\u009d).\r\n\r\n<img width=\"924\" height=\"353\" src=\":/4ec1bd4104104b4484e66764c4c3e752\"/> Figure 1: FaceFodUninstaller.exe import table\r\n\r\nWhat makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named _FODCleanupTask_, thereby minimizing the footprint on the machine and reducing the chances of detection even further. This demonstrates the group\u00e2\u20ac\u2122s ongoing technological research efforts.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/> Figure 2: The built-in task view in Windows Task Scheduler\r\n\r\n## BIOLOAD \r\n\r\nThe loader file name is _WinBio.dll_ (note the uppercase characters) and is placed by the attacker alongside the executable in the same folder (\u00e2\u20ac\u0153_WinBioPlugIns_\"), thus leveraging the default DLL search order. Because the file path is under _%WINDIR%_, it means that in order to plant it the attacker needed to have elevated privileges on the victim\u00e2\u20ac\u2122s machine such as administrator or a SYSTEM account.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\" / > F i g u r e 3 : W i n B i o P l u g I n s f o l d e r o f a n i n f e c t e d m a c h i n e \ r \ n \ r \ n L i k e B O O S T W R I T E , t h i s l o a d e r w a s a l s o d e v e l o p e d i n C + + . I t e x p o r t s o n l y a s i n g l e f u n c t i o n w h i c h i s t h e o n e _ F a c e F o d U n i n s t a l l e r . e x e _ i m p o r t s . \ r \ n \ r \ n T h e s a m p l e s t a r g e t a 64 - b i t O S a n d w e r e c o m p i l e d i n M a r c h a n d J u l y o f 2019 . B O O S T W R I T E t a r g e t s 32 - b i t m a c h i n e s a n d w a s c o m p i l e d ( a n d s i g n e d ) i n M a y 2019 . A c c o r d i n g t o p r e v i o u s r e p o r t s o n t h e g r o u p , t h e y d o n o t f a l s i f y c o m p i l a t i o n t i m e s t a m p s o f t h e b i n a r i e s . \ r \ n \ r \ n W h e n t h e D L L i s s t a r t e d i t c h e c k s t h e n u m b e r o f c o m m a n d l i n e a r g u m e n t s o f t h e p r o c e s s t o d e c i d e h o w t o a c t . W h e n t h e e x e c u t a b l e i s s t a r t e d b y t h e t a s k s c h e d u l e r i t d o e s n \ u 0 0e2 \ u 20 a c \ u 2122 t
"category" : "Other" ,
"uuid" : "5e0a36fc-d324-4038-bf96-411f02de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "annotation"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--048cc1be-77c1-4ac4-91ad-9a2515f08856" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-12-30T17:31:27.000Z" ,
"modified" : "2019-12-30T17:31:27.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--b822127f-e5bd-4e97-b089-6dbe41b97232" ,
"target_ref" : "x-misp-object--37d2a0b1-f566-4c93-a735-5ff6d1fd5175"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--cfab9ec2-ea37-43cc-b11c-f0f8c29e0785" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-12-30T17:31:27.000Z" ,
"modified" : "2019-12-30T17:31:27.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--b62fec55-6a9d-42e3-a184-d3eac052641d" ,
"target_ref" : "x-misp-object--b5887468-baeb-4798-86ee-6fe35ca86c13"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--30fd1484-d675-4c48-b0bd-88a954b4a436" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-12-30T17:31:27.000Z" ,
"modified" : "2019-12-30T17:31:27.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--a6f1046f-03a0-46b9-b93c-f12a9754f6e3" ,
"target_ref" : "x-misp-object--b679fec5-fade-4d7b-bec9-d0ef2d90729b"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--fbd254ba-510c-4daa-b3d4-f75d612c8c3b" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-12-30T17:31:27.000Z" ,
"modified" : "2019-12-30T17:31:27.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--d019110d-d966-484e-968c-95b77bd1591c" ,
"target_ref" : "x-misp-object--55a52c5d-d32f-4845-a2cf-c0a9ef422562"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}