2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2019-12-30" ,
"extends_uuid" : "" ,
"info" : "OSINT - Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin" ,
"publish_timestamp" : "1577727757" ,
"published" : true ,
"threat_level_id" : "2" ,
"timestamp" : "1577727740" ,
"uuid" : "5e0a3406-952c-49c8-b084-414002de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 (G0046) uses Carbanak (S0030)\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 uses Carbanak\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-intrusion-set=\"FIN7\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#12e400" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Anunak\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"DLL Search Order Hijacking\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1577727017" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e0a3429-ddc8-4dc9-a551-41f202de0b81" ,
"value" : "By Omri Misgav | December 26, 2019\r\nAcouple of months ago, enSilo\u00e2\u20ac\u2122s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor."
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1577727046" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5e0a3446-7584-4d05-b1a9-4cf402de0b81" ,
"value" : "7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1577727046" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5e0a3446-fee0-4809-98ce-466c02de0b81" ,
"value" : "c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1577727066" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5e0a345a-ec5c-45ac-ad17-454e02de0b81" ,
"value" : "77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1577727066" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5e0a345a-9818-4a2d-bb1b-4ec602de0b81" ,
"value" : "42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1577727084" ,
"uuid" : "b822127f-e5bd-4e97-b089-6dbe41b97232" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "b822127f-e5bd-4e97-b089-6dbe41b97232" ,
"referenced_uuid" : "37d2a0b1-f566-4c93-a735-5ff6d1fd5175" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1577727087" ,
"uuid" : "5e0a346f-6cb8-403a-be38-408e02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1577727046" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "34182e36-330b-47c0-bda3-f16b0e0be899" ,
"value" : "a8ba59eebd4858b8b448f13a436edf60"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1577727046" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "dd2891ae-f8a5-42ac-9633-47ee522a93ff" ,
"value" : "02216bbd2633b23be575230bb1d0fe176ea88b4f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1577727046" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "ffd7a350-8ba4-4cda-8be8-04f1c7925bf8" ,
"value" : "7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1577727085" ,
"uuid" : "37d2a0b1-f566-4c93-a735-5ff6d1fd5175" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1577727046" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "f42add19-f6a8-4c3b-b014-dfdfb64dd795" ,
"value" : "2019-12-30T17:16:31"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1577727046" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "88c3a2a3-dfe5-4e53-acc2-d7951b7941fc" ,
"value" : "https://www.virustotal.com/file/7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7/analysis/1577726191/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1577727046" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "cce0a6b8-ddf9-4f29-8659-d32284c8631d" ,
"value" : "32/69"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1577727085" ,
"uuid" : "b62fec55-6a9d-42e3-a184-d3eac052641d" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "b62fec55-6a9d-42e3-a184-d3eac052641d" ,
"referenced_uuid" : "b5887468-baeb-4798-86ee-6fe35ca86c13" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1577727087" ,
"uuid" : "5e0a346f-0f70-4efc-a47a-49e602de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1577727066" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "49372921-35a2-4b06-8705-33a265bf6380" ,
"value" : "4b32521cc8a8c050fbc55b3f9d05c84d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1577727066" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "4ab3271e-0d31-4ad3-b06d-4901667ab67a" ,
"value" : "ff62e30eb38116b3273543f9ace038c4d0003f9c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1577727066" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "57722a5e-301f-4ed9-a019-c0908b4d139e" ,
"value" : "77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1577727085" ,
"uuid" : "b5887468-baeb-4798-86ee-6fe35ca86c13" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1577727066" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a0a84233-91c2-465f-92a8-77f7a8e1f692" ,
"value" : "2019-12-29T14:21:55"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1577727066" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "58d5bfbd-1f36-4f20-8369-053f5e3e6369" ,
"value" : "https://www.virustotal.com/file/77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a/analysis/1577629315/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1577727066" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "621c4ded-d7b6-4fb9-b7bf-143001f7c38d" ,
"value" : "42/71"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1577727085" ,
"uuid" : "a6f1046f-03a0-46b9-b93c-f12a9754f6e3" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "a6f1046f-03a0-46b9-b93c-f12a9754f6e3" ,
"referenced_uuid" : "b679fec5-fade-4d7b-bec9-d0ef2d90729b" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1577727087" ,
"uuid" : "5e0a346f-c17c-4d0a-ab85-413602de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1577727046" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "88f40b0c-78f7-4e3c-8e6d-52c915f85b67" ,
"value" : "27370ffd32942337596785ec737a4e46"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1577727046" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "0d20d620-d3f6-4268-acda-86a8d771e291" ,
"value" : "a69d0ffed73198235c73f412a81dd2f4d12aa152"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1577727046" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "e1a486d7-458c-47ad-bec4-99463316d6ed" ,
"value" : "c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1577727086" ,
"uuid" : "b679fec5-fade-4d7b-bec9-d0ef2d90729b" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1577727046" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "d4326992-412d-429d-864e-48622c15cc55" ,
"value" : "2019-12-30T14:02:20"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1577727046" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "0ffa159a-bd05-46ec-a150-dbb4c680a609" ,
"value" : "https://www.virustotal.com/file/c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372/analysis/1577714540/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "WinBio.dll (scrubbed key and payload)" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1577727046" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "1a14a7ef-9ea8-4795-8134-f6b0abfcaa1b" ,
"value" : "33/70"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1577727086" ,
"uuid" : "d019110d-d966-484e-968c-95b77bd1591c" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "d019110d-d966-484e-968c-95b77bd1591c" ,
"referenced_uuid" : "55a52c5d-d32f-4845-a2cf-c0a9ef422562" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1577727087" ,
"uuid" : "5e0a346f-4288-4155-9252-49a702de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1577727066" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "d8ba2060-ae47-441f-aca7-25c57aad14c5" ,
"value" : "21e79ae1d7a5f020c171f412cbb92253"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1577727066" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "cc99ebf3-0ef6-4817-8973-04c3f8b735d5" ,
"value" : "ccd96a0b38d2edd14e290c597a7371e412429515"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1577727066" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "cccb62c0-4500-4b48-94bb-a33af73b2221" ,
"value" : "42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1577727086" ,
"uuid" : "55a52c5d-d32f-4845-a2cf-c0a9ef422562" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1577727066" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "f3e3ab49-f834-4a6b-859d-2f23826955f5" ,
"value" : "2019-12-28T17:45:44"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1577727066" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "02f98cbd-4f5e-4749-a026-dd48e2fa8811" ,
"value" : "https://www.virustotal.com/file/42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb/analysis/1577555144/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Carbanak" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1577727066" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "d35cdcb9-e338-463d-8740-67d4acf655a9" ,
"value" : "39/70"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes." ,
"meta-category" : "misc" ,
"name" : "annotation" ,
"template_uuid" : "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487" ,
"template_version" : "2" ,
"timestamp" : "1577727734" ,
"uuid" : "5e0a36f6-21fc-4a2d-8f68-4cf502de0b81" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "format" ,
"timestamp" : "1577727734" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e0a36f6-8fc8-4f98-890c-481a02de0b81" ,
"value" : "markdown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1577727740" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e0a36fc-e758-4d4b-9730-4c2e02de0b81" ,
"value" : "Other"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "text" ,
"timestamp" : "1577727740" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e0a36fc-d324-4038-bf96-411f02de0b81" ,
"value" : "[<img width=\"200\" height=\"23\" src=\":/735a23f2ea5d4a2ca314bbb10957e1fd\"/>](https://www.fortinet.com)\r\n\r\n[Blog](https://www.fortinet.com/blog)\r\n\r\n* [Business & Technology](https://www.fortinet.com/blog/business-and-technology.html)\r\n* [Threat Research](https://www.fortinet.com/blog/threat-research.html)\r\n* [Industry Trends](https://www.fortinet.com/blog/industry-trends.html)\r\n* [Partners](https://www.fortinet.com/blog/partners.html)\r\n\r\n<img width=\"1908\" height=\"400\" src=\":/bce5663d73cd44318b21c1471c4186e3\"/>\r\n\r\nThreat Research\r\n\r\n# Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin\r\n\r\nBy [Omri Misgav](https://www.fortinet.com/blog/search.html?author=Omri+Misgav) | December 26, 2019\r\n\r\nA couple of months ago, [enSilo\u00e2\u20ac\u2122s endpoint protection platform](https://www.fortinet.com/blog/business-and-technology/fortinet-acquires-endpoint-security-innovator-ensilo-.html) blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor.\r\n\r\n## The Abused Target\r\n\r\nWindows OS uses a [common method](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order) to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as [DLL search order hijacking (or binary planting)](https://attack.mitre.org/techniques/T1038).\r\n\r\nThe abused application in this case is _FaceFodUninstaller.exe_. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the \u00e2\u20ac\u0153_%WINDR%\\\\System32\\\\WinBioPlugIns_\u00e2\u20ac\u009d folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (\u00e2\u20ac\u0153_%WINDR%\\\\System32_\u00e2\u20ac\u009d).\r\n\r\n<img width=\"924\" height=\"353\" src=\":/4ec1bd4104104b4484e66764c4c3e752\"/> Figure 1: FaceFodUninstaller.exe import table\r\n\r\nWhat makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named _FODCleanupTask_, thereby minimizing the footprint on the machine and reducing the chances of detection even further. This demonstrates the group\u00e2\u20ac\u2122s ongoing technological research efforts.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/> Figure 2: The built-in task view in Windows Task Scheduler\r\n\r\n## BIOLOAD \r\n\r\nThe loader file name is _WinBio.dll_ (note the uppercase characters) and is placed by the attacker alongside the executable in the same folder (\u00e2\u20ac\u0153_WinBioPlugIns_\"), thus leveraging the default DLL search order. Because the file path is under _%WINDIR%_, it means that in order to plant it the attacker needed to have elevated privileges on the victim\u00e2\u20ac\u2122s machine such as administrator or a SYSTEM account.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\" / > F i g u r e 3 : W i n B i o P l u g I n s f o l d e r o f a n i n f e c t e d m a c h i n e \ r \ n \ r \ n L i k e B O O S T W R I T E , t h i s l o a d e r w a s a l s o d e v e l o p e d i n C + + . I t e x p o r t s o n l y a s i n g l e f u n c t i o n w h i c h i s t h e o n e _ F a c e F o d U n i n s t a l l e r . e x e _ i m p o r t s . \ r \ n \ r \ n T h e s a m p l e s t a r g e t a 64 - b i t O S a n d w e r e c o m p i l e d i n M a r c h a n d J u l y o f 2019 . B O O S T W R I T E t a r g e t s 32 - b i t m a c h i n e s a n d w a s c o m p i l e d ( a n d s i g n e d ) i n M a y 2019 . A c c o r d i n g t o p r e v i o u s r e p o r t s o n t h e g r o u p , t h e y d o n o t f a l s i f y c o m p i l a t i o n t i m e s t a m p s o f t h e b i n a r i e s . \ r \ n \ r \ n W h e n t h e D L L i s s t a r t e d i t c h e c k s t h e n u m b e r o f c o m m a n d l i n e a r g u m e n t s o f t h e p r o c e s s t o d e c i d e h o w t o a c t . W h e n t h e e x e c u t a b l e i s s t a r t e d b y t h e t a s k s c h e d u l e r i t d o e s n \ u 0 0e2 \ u 20 a c \ u 2122 t h a v e c o
}
]
}
]
}
}