misp-circl-feed/feeds/circl/misp/5e0a3406-952c-49c8-b084-414002de0b81.json

625 lines
36 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2019-12-30",
"extends_uuid": "",
"info": "OSINT - Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin",
"publish_timestamp": "1577727757",
"published": true,
"threat_level_id": "2",
"timestamp": "1577727740",
"uuid": "5e0a3406-952c-49c8-b084-414002de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 (G0046) uses Carbanak (S0030)\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 uses Carbanak\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-intrusion-set=\"FIN7\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#12e400",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:threat-actor=\"Anunak\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#004646",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"DLL Search Order Hijacking\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577727017",
"to_ids": false,
"type": "text",
"uuid": "5e0a3429-ddc8-4dc9-a551-41f202de0b81",
"value": "By Omri Misgav | December 26, 2019\r\nAcouple of months ago, enSilo\u00e2\u20ac\u2122s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor."
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577727046",
"to_ids": true,
"type": "sha256",
"uuid": "5e0a3446-7584-4d05-b1a9-4cf402de0b81",
"value": "7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577727046",
"to_ids": true,
"type": "sha256",
"uuid": "5e0a3446-fee0-4809-98ce-466c02de0b81",
"value": "c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577727066",
"to_ids": true,
"type": "sha256",
"uuid": "5e0a345a-ec5c-45ac-ad17-454e02de0b81",
"value": "77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577727066",
"to_ids": true,
"type": "sha256",
"uuid": "5e0a345a-9818-4a2d-bb1b-4ec602de0b81",
"value": "42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577727084",
"uuid": "b822127f-e5bd-4e97-b089-6dbe41b97232",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b822127f-e5bd-4e97-b089-6dbe41b97232",
"referenced_uuid": "37d2a0b1-f566-4c93-a735-5ff6d1fd5175",
"relationship_type": "analysed-with",
"timestamp": "1577727087",
"uuid": "5e0a346f-6cb8-403a-be38-408e02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577727046",
"to_ids": true,
"type": "md5",
"uuid": "34182e36-330b-47c0-bda3-f16b0e0be899",
"value": "a8ba59eebd4858b8b448f13a436edf60"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577727046",
"to_ids": true,
"type": "sha1",
"uuid": "dd2891ae-f8a5-42ac-9633-47ee522a93ff",
"value": "02216bbd2633b23be575230bb1d0fe176ea88b4f"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577727046",
"to_ids": true,
"type": "sha256",
"uuid": "ffd7a350-8ba4-4cda-8be8-04f1c7925bf8",
"value": "7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577727085",
"uuid": "37d2a0b1-f566-4c93-a735-5ff6d1fd5175",
"Attribute": [
{
"category": "Other",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577727046",
"to_ids": false,
"type": "datetime",
"uuid": "f42add19-f6a8-4c3b-b014-dfdfb64dd795",
"value": "2019-12-30T17:16:31"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577727046",
"to_ids": false,
"type": "link",
"uuid": "88c3a2a3-dfe5-4e53-acc2-d7951b7941fc",
"value": "https://www.virustotal.com/file/7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7/analysis/1577726191/"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577727046",
"to_ids": false,
"type": "text",
"uuid": "cce0a6b8-ddf9-4f29-8659-d32284c8631d",
"value": "32/69"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577727085",
"uuid": "b62fec55-6a9d-42e3-a184-d3eac052641d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b62fec55-6a9d-42e3-a184-d3eac052641d",
"referenced_uuid": "b5887468-baeb-4798-86ee-6fe35ca86c13",
"relationship_type": "analysed-with",
"timestamp": "1577727087",
"uuid": "5e0a346f-0f70-4efc-a47a-49e602de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577727066",
"to_ids": true,
"type": "md5",
"uuid": "49372921-35a2-4b06-8705-33a265bf6380",
"value": "4b32521cc8a8c050fbc55b3f9d05c84d"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577727066",
"to_ids": true,
"type": "sha1",
"uuid": "4ab3271e-0d31-4ad3-b06d-4901667ab67a",
"value": "ff62e30eb38116b3273543f9ace038c4d0003f9c"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577727066",
"to_ids": true,
"type": "sha256",
"uuid": "57722a5e-301f-4ed9-a019-c0908b4d139e",
"value": "77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577727085",
"uuid": "b5887468-baeb-4798-86ee-6fe35ca86c13",
"Attribute": [
{
"category": "Other",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577727066",
"to_ids": false,
"type": "datetime",
"uuid": "a0a84233-91c2-465f-92a8-77f7a8e1f692",
"value": "2019-12-29T14:21:55"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577727066",
"to_ids": false,
"type": "link",
"uuid": "58d5bfbd-1f36-4f20-8369-053f5e3e6369",
"value": "https://www.virustotal.com/file/77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a/analysis/1577629315/"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577727066",
"to_ids": false,
"type": "text",
"uuid": "621c4ded-d7b6-4fb9-b7bf-143001f7c38d",
"value": "42/71"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577727085",
"uuid": "a6f1046f-03a0-46b9-b93c-f12a9754f6e3",
"ObjectReference": [
{
"comment": "",
"object_uuid": "a6f1046f-03a0-46b9-b93c-f12a9754f6e3",
"referenced_uuid": "b679fec5-fade-4d7b-bec9-d0ef2d90729b",
"relationship_type": "analysed-with",
"timestamp": "1577727087",
"uuid": "5e0a346f-c17c-4d0a-ab85-413602de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577727046",
"to_ids": true,
"type": "md5",
"uuid": "88f40b0c-78f7-4e3c-8e6d-52c915f85b67",
"value": "27370ffd32942337596785ec737a4e46"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577727046",
"to_ids": true,
"type": "sha1",
"uuid": "0d20d620-d3f6-4268-acda-86a8d771e291",
"value": "a69d0ffed73198235c73f412a81dd2f4d12aa152"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577727046",
"to_ids": true,
"type": "sha256",
"uuid": "e1a486d7-458c-47ad-bec4-99463316d6ed",
"value": "c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577727086",
"uuid": "b679fec5-fade-4d7b-bec9-d0ef2d90729b",
"Attribute": [
{
"category": "Other",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577727046",
"to_ids": false,
"type": "datetime",
"uuid": "d4326992-412d-429d-864e-48622c15cc55",
"value": "2019-12-30T14:02:20"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577727046",
"to_ids": false,
"type": "link",
"uuid": "0ffa159a-bd05-46ec-a150-dbb4c680a609",
"value": "https://www.virustotal.com/file/c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372/analysis/1577714540/"
},
{
"category": "Payload delivery",
"comment": "WinBio.dll (scrubbed key and payload)",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577727046",
"to_ids": false,
"type": "text",
"uuid": "1a14a7ef-9ea8-4795-8134-f6b0abfcaa1b",
"value": "33/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577727086",
"uuid": "d019110d-d966-484e-968c-95b77bd1591c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "d019110d-d966-484e-968c-95b77bd1591c",
"referenced_uuid": "55a52c5d-d32f-4845-a2cf-c0a9ef422562",
"relationship_type": "analysed-with",
"timestamp": "1577727087",
"uuid": "5e0a346f-4288-4155-9252-49a702de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577727066",
"to_ids": true,
"type": "md5",
"uuid": "d8ba2060-ae47-441f-aca7-25c57aad14c5",
"value": "21e79ae1d7a5f020c171f412cbb92253"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577727066",
"to_ids": true,
"type": "sha1",
"uuid": "cc99ebf3-0ef6-4817-8973-04c3f8b735d5",
"value": "ccd96a0b38d2edd14e290c597a7371e412429515"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577727066",
"to_ids": true,
"type": "sha256",
"uuid": "cccb62c0-4500-4b48-94bb-a33af73b2221",
"value": "42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577727086",
"uuid": "55a52c5d-d32f-4845-a2cf-c0a9ef422562",
"Attribute": [
{
"category": "Other",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577727066",
"to_ids": false,
"type": "datetime",
"uuid": "f3e3ab49-f834-4a6b-859d-2f23826955f5",
"value": "2019-12-28T17:45:44"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577727066",
"to_ids": false,
"type": "link",
"uuid": "02f98cbd-4f5e-4749-a026-dd48e2fa8811",
"value": "https://www.virustotal.com/file/42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb/analysis/1577555144/"
},
{
"category": "Payload delivery",
"comment": "Carbanak",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577727066",
"to_ids": false,
"type": "text",
"uuid": "d35cdcb9-e338-463d-8740-67d4acf655a9",
"value": "39/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.",
"meta-category": "misc",
"name": "annotation",
"template_uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487",
"template_version": "2",
"timestamp": "1577727734",
"uuid": "5e0a36f6-21fc-4a2d-8f68-4cf502de0b81",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "format",
"timestamp": "1577727734",
"to_ids": false,
"type": "text",
"uuid": "5e0a36f6-8fc8-4f98-890c-481a02de0b81",
"value": "markdown"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1577727740",
"to_ids": false,
"type": "text",
"uuid": "5e0a36fc-e758-4d4b-9730-4c2e02de0b81",
"value": "Other"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "text",
"timestamp": "1577727740",
"to_ids": false,
"type": "text",
"uuid": "5e0a36fc-d324-4038-bf96-411f02de0b81",
"value": "[<img width=\"200\" height=\"23\" src=\":/735a23f2ea5d4a2ca314bbb10957e1fd\"/>](https://www.fortinet.com)\r\n\r\n[Blog](https://www.fortinet.com/blog)\r\n\r\n* [Business & Technology](https://www.fortinet.com/blog/business-and-technology.html)\r\n* [Threat Research](https://www.fortinet.com/blog/threat-research.html)\r\n* [Industry Trends](https://www.fortinet.com/blog/industry-trends.html)\r\n* [Partners](https://www.fortinet.com/blog/partners.html)\r\n\r\n<img width=\"1908\" height=\"400\" src=\":/bce5663d73cd44318b21c1471c4186e3\"/>\r\n\r\nThreat Research\r\n\r\n# Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin\r\n\r\nBy [Omri Misgav](https://www.fortinet.com/blog/search.html?author=Omri+Misgav) | December 26, 2019\r\n\r\nA couple of months ago, [enSilo\u00e2\u20ac\u2122s endpoint protection platform](https://www.fortinet.com/blog/business-and-technology/fortinet-acquires-endpoint-security-innovator-ensilo-.html) blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor.\r\n\r\n## The Abused Target\r\n\r\nWindows OS uses a [common method](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order) to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as [DLL search order hijacking (or binary planting)](https://attack.mitre.org/techniques/T1038).\r\n\r\nThe abused application in this case is _FaceFodUninstaller.exe_. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the \u00e2\u20ac\u0153_%WINDR%\\\\System32\\\\WinBioPlugIns_\u00e2\u20ac\u009d folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (\u00e2\u20ac\u0153_%WINDR%\\\\System32_\u00e2\u20ac\u009d).\r\n\r\n<img width=\"924\" height=\"353\" src=\":/4ec1bd4104104b4484e66764c4c3e752\"/> Figure 1: FaceFodUninstaller.exe import table\r\n\r\nWhat makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named _FODCleanupTask_, thereby minimizing the footprint on the machine and reducing the chances of detection even further. This demonstrates the group\u00e2\u20ac\u2122s ongoing technological research efforts.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/> Figure 2: The built-in task view in Windows Task Scheduler\r\n\r\n## BIOLOAD \r\n\r\nThe loader file name is _WinBio.dll_ (note the uppercase characters) and is placed by the attacker alongside the executable in the same folder (\u00e2\u20ac\u0153_WinBioPlugIns_\"), thus leveraging the default DLL search order. Because the file path is under _%WINDIR%_, it means that in order to plant it the attacker needed to have elevated privileges on the victim\u00e2\u20ac\u2122s machine such as administrator or a SYSTEM account.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/> Figure 3: WinBioPlugIns folder of an infected machine\r\n\r\nLike BOOSTWRITE, this loader was also developed in C++. It exports only a single function which is the one _FaceFodUninstaller.exe_ imports.\r\n\r\nThe samples target a 64-bit OS and were compiled in March and July of 2019. BOOSTWRITE targets 32-bit machines and was compiled (and signed) in May 2019. According to previous reports on the group, they do not falsify compilation timestamps of the binaries.\r\n\r\nWhen the DLL is started it checks the number of command line arguments of the process to decide how to act. When the executable is started by the task scheduler it doesn\u00e2\u20ac\u2122t have co
}
]
}
]
}
}