513 lines
No EOL
37 KiB
JSON
513 lines
No EOL
37 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5e0a3406-952c-49c8-b084-414002de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:42:20.000Z",
|
|
"modified": "2019-12-30T17:42:20.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5e0a3406-952c-49c8-b084-414002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:42:20.000Z",
|
|
"modified": "2019-12-30T17:42:20.000Z",
|
|
"name": "OSINT - Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin",
|
|
"published": "2019-12-30T17:42:37Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--5e0a3429-ddc8-4dc9-a551-41f202de0b81",
|
|
"indicator--5e0a3446-7584-4d05-b1a9-4cf402de0b81",
|
|
"indicator--5e0a3446-fee0-4809-98ce-466c02de0b81",
|
|
"indicator--5e0a345a-ec5c-45ac-ad17-454e02de0b81",
|
|
"indicator--5e0a345a-9818-4a2d-bb1b-4ec602de0b81",
|
|
"indicator--b822127f-e5bd-4e97-b089-6dbe41b97232",
|
|
"x-misp-object--37d2a0b1-f566-4c93-a735-5ff6d1fd5175",
|
|
"indicator--b62fec55-6a9d-42e3-a184-d3eac052641d",
|
|
"x-misp-object--b5887468-baeb-4798-86ee-6fe35ca86c13",
|
|
"indicator--a6f1046f-03a0-46b9-b93c-f12a9754f6e3",
|
|
"x-misp-object--b679fec5-fade-4d7b-bec9-d0ef2d90729b",
|
|
"indicator--d019110d-d966-484e-968c-95b77bd1591c",
|
|
"x-misp-object--55a52c5d-d32f-4845-a2cf-c0a9ef422562",
|
|
"x-misp-object--5e0a36f6-21fc-4a2d-8f68-4cf502de0b81",
|
|
"relationship--30690e7f-4606-4297-ab1d-6eba5cbf124a",
|
|
"relationship--2efb1ad7-2788-4a6f-b36b-1943325246c3",
|
|
"relationship--d2dac93c-e31f-4dbb-90a9-d39c547d3100",
|
|
"relationship--c9e97b7d-db15-4bbf-9e39-c01875ab8849"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7\"",
|
|
"misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 (G0046) uses Carbanak (S0030)\"",
|
|
"misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 uses Carbanak\"",
|
|
"misp-galaxy:mitre-intrusion-set=\"FIN7\"",
|
|
"misp-galaxy:threat-actor=\"Anunak\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"DLL Search Order Hijacking\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5e0a3429-ddc8-4dc9-a551-41f202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:30:17.000Z",
|
|
"modified": "2019-12-30T17:30:17.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "By Omri Misgav | December 26, 2019\r\nAcouple of months ago, enSilo\u00e2\u20ac\u2122s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5e0a3446-7584-4d05-b1a9-4cf402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:30:46.000Z",
|
|
"modified": "2019-12-30T17:30:46.000Z",
|
|
"description": "WinBio.dll (scrubbed key and payload)",
|
|
"pattern": "[file:hashes.SHA256 = '7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-12-30T17:30:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5e0a3446-fee0-4809-98ce-466c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:30:46.000Z",
|
|
"modified": "2019-12-30T17:30:46.000Z",
|
|
"description": "WinBio.dll (scrubbed key and payload)",
|
|
"pattern": "[file:hashes.SHA256 = 'c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-12-30T17:30:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5e0a345a-ec5c-45ac-ad17-454e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:06.000Z",
|
|
"modified": "2019-12-30T17:31:06.000Z",
|
|
"description": "Carbanak",
|
|
"pattern": "[file:hashes.SHA256 = '77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-12-30T17:31:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5e0a345a-9818-4a2d-bb1b-4ec602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:06.000Z",
|
|
"modified": "2019-12-30T17:31:06.000Z",
|
|
"description": "Carbanak",
|
|
"pattern": "[file:hashes.SHA256 = '42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-12-30T17:31:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b822127f-e5bd-4e97-b089-6dbe41b97232",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:24.000Z",
|
|
"modified": "2019-12-30T17:31:24.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'a8ba59eebd4858b8b448f13a436edf60' AND file:hashes.SHA1 = '02216bbd2633b23be575230bb1d0fe176ea88b4f' AND file:hashes.SHA256 = '7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-12-30T17:31:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--37d2a0b1-f566-4c93-a735-5ff6d1fd5175",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:25.000Z",
|
|
"modified": "2019-12-30T17:31:25.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-12-30T17:16:31",
|
|
"category": "Other",
|
|
"comment": "WinBio.dll (scrubbed key and payload)",
|
|
"uuid": "f42add19-f6a8-4c3b-b014-dfdfb64dd795"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7/analysis/1577726191/",
|
|
"category": "Payload delivery",
|
|
"comment": "WinBio.dll (scrubbed key and payload)",
|
|
"uuid": "88c3a2a3-dfe5-4e53-acc2-d7951b7941fc"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "32/69",
|
|
"category": "Payload delivery",
|
|
"comment": "WinBio.dll (scrubbed key and payload)",
|
|
"uuid": "cce0a6b8-ddf9-4f29-8659-d32284c8631d"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b62fec55-6a9d-42e3-a184-d3eac052641d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:25.000Z",
|
|
"modified": "2019-12-30T17:31:25.000Z",
|
|
"pattern": "[file:hashes.MD5 = '4b32521cc8a8c050fbc55b3f9d05c84d' AND file:hashes.SHA1 = 'ff62e30eb38116b3273543f9ace038c4d0003f9c' AND file:hashes.SHA256 = '77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-12-30T17:31:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b5887468-baeb-4798-86ee-6fe35ca86c13",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:25.000Z",
|
|
"modified": "2019-12-30T17:31:25.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-12-29T14:21:55",
|
|
"category": "Other",
|
|
"comment": "Carbanak",
|
|
"uuid": "a0a84233-91c2-465f-92a8-77f7a8e1f692"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a/analysis/1577629315/",
|
|
"category": "Payload delivery",
|
|
"comment": "Carbanak",
|
|
"uuid": "58d5bfbd-1f36-4f20-8369-053f5e3e6369"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "42/71",
|
|
"category": "Payload delivery",
|
|
"comment": "Carbanak",
|
|
"uuid": "621c4ded-d7b6-4fb9-b7bf-143001f7c38d"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a6f1046f-03a0-46b9-b93c-f12a9754f6e3",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:25.000Z",
|
|
"modified": "2019-12-30T17:31:25.000Z",
|
|
"pattern": "[file:hashes.MD5 = '27370ffd32942337596785ec737a4e46' AND file:hashes.SHA1 = 'a69d0ffed73198235c73f412a81dd2f4d12aa152' AND file:hashes.SHA256 = 'c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-12-30T17:31:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b679fec5-fade-4d7b-bec9-d0ef2d90729b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:26.000Z",
|
|
"modified": "2019-12-30T17:31:26.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-12-30T14:02:20",
|
|
"category": "Other",
|
|
"comment": "WinBio.dll (scrubbed key and payload)",
|
|
"uuid": "d4326992-412d-429d-864e-48622c15cc55"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372/analysis/1577714540/",
|
|
"category": "Payload delivery",
|
|
"comment": "WinBio.dll (scrubbed key and payload)",
|
|
"uuid": "0ffa159a-bd05-46ec-a150-dbb4c680a609"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "33/70",
|
|
"category": "Payload delivery",
|
|
"comment": "WinBio.dll (scrubbed key and payload)",
|
|
"uuid": "1a14a7ef-9ea8-4795-8134-f6b0abfcaa1b"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d019110d-d966-484e-968c-95b77bd1591c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:26.000Z",
|
|
"modified": "2019-12-30T17:31:26.000Z",
|
|
"pattern": "[file:hashes.MD5 = '21e79ae1d7a5f020c171f412cbb92253' AND file:hashes.SHA1 = 'ccd96a0b38d2edd14e290c597a7371e412429515' AND file:hashes.SHA256 = '42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-12-30T17:31:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--55a52c5d-d32f-4845-a2cf-c0a9ef422562",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:31:26.000Z",
|
|
"modified": "2019-12-30T17:31:26.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-12-28T17:45:44",
|
|
"category": "Other",
|
|
"comment": "Carbanak",
|
|
"uuid": "f3e3ab49-f834-4a6b-859d-2f23826955f5"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb/analysis/1577555144/",
|
|
"category": "Payload delivery",
|
|
"comment": "Carbanak",
|
|
"uuid": "02f98cbd-4f5e-4749-a026-dd48e2fa8811"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "39/70",
|
|
"category": "Payload delivery",
|
|
"comment": "Carbanak",
|
|
"uuid": "d35cdcb9-e338-463d-8740-67d4acf655a9"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5e0a36f6-21fc-4a2d-8f68-4cf502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-12-30T17:42:14.000Z",
|
|
"modified": "2019-12-30T17:42:14.000Z",
|
|
"labels": [
|
|
"misp:name=\"annotation\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "format",
|
|
"value": "markdown",
|
|
"category": "Other",
|
|
"uuid": "5e0a36f6-8fc8-4f98-890c-481a02de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Other",
|
|
"category": "Other",
|
|
"uuid": "5e0a36fc-e758-4d4b-9730-4c2e02de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "text",
|
|
"value": "[<img width=\"200\" height=\"23\" src=\":/735a23f2ea5d4a2ca314bbb10957e1fd\"/>](https://www.fortinet.com)\r\n\r\n[Blog](https://www.fortinet.com/blog)\r\n\r\n* [Business & Technology](https://www.fortinet.com/blog/business-and-technology.html)\r\n* [Threat Research](https://www.fortinet.com/blog/threat-research.html)\r\n* [Industry Trends](https://www.fortinet.com/blog/industry-trends.html)\r\n* [Partners](https://www.fortinet.com/blog/partners.html)\r\n\r\n<img width=\"1908\" height=\"400\" src=\":/bce5663d73cd44318b21c1471c4186e3\"/>\r\n\r\nThreat Research\r\n\r\n# Introducing BIOLOAD: FIN7 BOOSTWRITE\u00e2\u20ac\u2122s Lost Twin\r\n\r\nBy [Omri Misgav](https://www.fortinet.com/blog/search.html?author=Omri+Misgav) | December 26, 2019\r\n\r\nA couple of months ago, [enSilo\u00e2\u20ac\u2122s endpoint protection platform](https://www.fortinet.com/blog/business-and-technology/fortinet-acquires-endpoint-security-innovator-ensilo-.html) blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7\u00e2\u20ac\u2122s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor.\r\n\r\n## The Abused Target\r\n\r\nWindows OS uses a [common method](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order) to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as [DLL search order hijacking (or binary planting)](https://attack.mitre.org/techniques/T1038).\r\n\r\nThe abused application in this case is _FaceFodUninstaller.exe_. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the \u00e2\u20ac\u0153_%WINDR%\\\\System32\\\\WinBioPlugIns_\u00e2\u20ac\u009d folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (\u00e2\u20ac\u0153_%WINDR%\\\\System32_\u00e2\u20ac\u009d).\r\n\r\n<img width=\"924\" height=\"353\" src=\":/4ec1bd4104104b4484e66764c4c3e752\"/> Figure 1: FaceFodUninstaller.exe import table\r\n\r\nWhat makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named _FODCleanupTask_, thereby minimizing the footprint on the machine and reducing the chances of detection even further. This demonstrates the group\u00e2\u20ac\u2122s ongoing technological research efforts.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/> Figure 2: The built-in task view in Windows Task Scheduler\r\n\r\n## BIOLOAD \r\n\r\nThe loader file name is _WinBio.dll_ (note the uppercase characters) and is placed by the attacker alongside the executable in the same folder (\u00e2\u20ac\u0153_WinBioPlugIns_\"), thus leveraging the default DLL search order. Because the file path is under _%WINDIR%_, it means that in order to plant it the attacker needed to have elevated privileges on the victim\u00e2\u20ac\u2122s machine such as administrator or a SYSTEM account.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/> Figure 3: WinBioPlugIns folder of an infected machine\r\n\r\nLike BOOSTWRITE, this loader was also developed in C++. It exports only a single function which is the one _FaceFodUninstaller.exe_ imports.\r\n\r\nThe samples target a 64-bit OS and were compiled in March and July of 2019. BOOSTWRITE targets 32-bit machines and was compiled (and signed) in May 2019. According to previous reports on the group, they do not falsify compilation timestamps of the binaries.\r\n\r\nWhen the DLL is started it checks the number of command line arguments of the process to decide how to act. When the executable is started by the task scheduler it doesn\u00e2\u20ac\u2122t have command line arguments and the malware works as follows:\r\n\r\n1. Creates a log file at _%TEMP%\\\\~bio<epoch_time>_. Logs are textual and aren\u00e2\u20ac\u2122t encrypted.\r\n2. Starts itself again as a child process with one command line argument comprised of 32 random upper-case letters.\r\n3. Establishes persistency by using COM objects to access the task scheduler. The malware makes sure the task is enabled, adds a trigger to start it 30 seconds after Windows boots and does not wait for idle state.\r\n\r\nWhen _WinBioGetEnrolledFactors_ is called, the malware loads the original _winbio.dll_ and invokes the original function.\r\n\r\nThe worker process loads and executes the payload DLL in-memory. It starts by creating a log file at _%TEMP%\\\\~wrk<epoch_time>_. It then makes sure only a single instance is currently running by creating a named mutex based on environments variables in this fashion:\r\n\r\n<img width=\"539\" height=\"539\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/>\r\n\r\nBIOLOAD also has the encrypted payload DLL embedded in it. In contrast to BOOSTWRITE, it does not support multiple payloads. Furthermore, to decrypt the payload it uses a simple XOR decryption rather than a ChaCha cipher, nor does it access a remote server to fetch the key. Instead, BIOLOAD is tailor-made for every machine it infects as it relies on the machine name to properly derive the decryption key.\r\n\r\nThe length of the key is 16 bytes and is also embedded in the loader. A portion of the key is overwritten with the result of [MurmurHash3](https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp#L255) on the key using a CRC32 checksum of the computer name as the seed. This hinders detection by sandboxes and obstruct researchers from analyzing the payload when the relevant context is missing.\r\n\r\n<img width=\"693\" height=\"693\" src=\":/18a7bd8efa6e48098d90b14c8334033f\"/> Figure 4: Start of the MurmurHash3 function disassembly\r\n\r\nThe PE loader implementation is the same as the one in BOOSTWRITE. The format of the log file name is similar as well.\r\n\r\n## The Carbanak Backdoor\r\n\r\nAs mentioned, the payload this loader carries is the Carbanak backdoor. The samples we extracted from BIOLOAD are newer builds of the backdoor, dated January and April of 2019, according to their timestamps.\r\n\r\nOne notable addition is that it checks to see if another Anti-Virus (AV) is running on the machine, besides Kaspersky, AVG and TrendMicro. The result, however, has no effect on the operations of the backdoor, unlike with previously detected AVs.\r\n\r\n## Final Thoughts\r\n\r\nThis is the first public case of FaceFodUninstaller.exe being abused as host process by a threat actor.\r\n\r\nThe shared codebase with recent tools attributed to FIN7, together with the same techniques and backdoor, allows to attribute this new loader to the cybercrime group. The timestamps, together with simpler functionality, suggest BIOLOAD is a preceding iteration of BOOSTWRITE.\r\n\r\nSince the loader is specifically built for each targeted machine and requires administrative permissions to deploy, it suggests the group gathers information about its targets\u00e2\u20ac\u2122 networks.\r\n\r\n## Solutions\r\n\r\nThis malware uses a common, yet stealthy and effective, method to execute its payload in the context of legitimate processes.\u00c2\u00a0\r\n\r\nCountermeasures should be in place to detect this malicious behavior. The recently acquired FortiEDR \u00e2\u20ac\u201c an Endpoint Detection and Response solution integrated into FortiGate firewalls, FortiSIEM and FortiSandbox - detects and blocks such behavior post-infection to help incident responders quickly mitigate and respond to such threats.\r\n\r\nFortiClient detects and blocks the IOCs listed below as **W64/Inject.B!tr.spy** and **W64/Carbanak.A2EB!tr**.\r\n\r\nIn addition, as part of our membership in the\u00c2\u00a0[Cyber Threat Alliance](https://www.cyberthreatalliance.org/), details of this threat were shared in real time with other Alliance members to help create better protections for customers.\r\n\r\n## IOCs\r\n\r\n**WinBio.dll (scrubbed key and payload) SHA256**\r\n\r\n7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7 \r\nc1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372\r\n\r\n**Carbanak SHA256**\r\n\r\n77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a \r\n42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb\u00c2\u00a0 \u00c2\u00a0\u00c2\u00a0\r\n\r\n_Learn more about\u00c2\u00a0[FortiGuard Labs](https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html?utm_source=nreleaseblog&utm_campaign=2018-q2-fortiguardlabs-cta)\u00c2\u00a0and the FortiGuard Security Services\u00c2\u00a0[portfolio](https://www.fortinet.com/support-and-training/support-services/fortiguard-security-subscriptions.html?utm_source=blog&utm_campaign=2018-blog-security-services).\u00c2\u00a0[Sign up](https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html?utm_source=nreleaseblog&utm_campaign=2018-q2-fortiguardlabs-cta)\u00c2\u00a0for our weekly FortiGuard Threat Brief._\r\n\r\n_Read about the FortiGuard\u00c2\u00a0[Security Rating Service](https://www.fortinet.com/support-and-training/support-services/fortiguard-security-subscriptions/security-rating.html?utm_source=blog&utm_campaign=2018-blog-security-rating-service), which provides security audits and best practices._\r\n\r\n[<img width=\"914\" height=\"143\" src=\":/91993d9978bb413c9e197be19c0ce541\"/>](https://www.fortinet.com/resources/resources-campaign.html?utm_source=social&utm_medium=blog&campaign=power-of&utm_term=q3fy19tlr#ufh-i-503778344-quarterly-threat-landscape-report/2901083)\r\n\r\nTags:\r\n\r\n[threat research](https://www.fortinet.com/blog/tags-search.html?tag=threat-research), [Carbanak](https://www.fortinet.com/blog/tags-search.html?tag=carbanak), [Cybersecurity Architect](https://www.fortinet.com/blog/tags-search.html?tag=cybersecurity-architect), [BIOLOAD](https://www.fortinet.com/blog/tags-search.html?tag=bioload), [FIN7](https://www.fortinet.com/blog/tags-search.html?tag=fin7)\r\n\r\n### Related Posts\r\n\r\n[<img width=\"281\" height=\"211\" src=\":/bce5663d73cd44318b21c1471c4186e3\"/><br>Threat Research<br>##### \u00e2\u20ac\u0153BlueKeep\u00e2\u20ac\u009d Vulnerability (CVE-2019-0708) within Cloud/Datacenter Machines: How to Safeguard Yourself?](https://www.fortinet.com/blog/threat-research/bluekeep-vulnerability-cloud-datacenters.html)[<img width=\"281\" height=\"211\" src=\":/bce5663d73cd44318b21c1471c4186e3\"/><br>Threat Research<br>##### Key Takeaways from Our Latest Global Threat Landscape Report](https://www.fortinet.com/blog/threat-research/cyber-adversaries-flock-to-apps-where-the-users-are-and-when-use.html)[<img width=\"281\" height=\"211\" src=\":/bce5663d73cd44318b21c1471c4186e3\"/><br>Threat Research<br>##### WordPress WooCommerce XSS Vulnerability \u00e2\u20ac\u201c Hijacking a Customer Account with a Crafted Image](https://www.fortinet.com/blog/threat-research/wordpress-woocommerce-xss-vulnerability----hijacking-a-customer-.html)\r\n\r\n[<img width=\"190\" height=\"23\" src=\":/735a23f2ea5d4a2ca314bbb10957e1fd\"/>](https://www.fortinet.com)\r\n\r\n#### News & Articles\r\n\r\n* [News Releases](https://www.fortinet.com/corporate/about-us/newsroom/press-releases.html)\r\n* [News Articles](https://www.fortinet.com/corporate/about-us/newsroom/news.html)\r\n* [Trademarks](https://www.fortinet.com/corporate/about-us/contact-us/fortinet-trademark-guidelines.html)\r\n\r\n#### Security Research\r\n\r\n* [Threat Research](https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html)\r\n* [FortiGuard Labs](https://fortiguard.com/)\r\n* [Threat Map](https://www.fortinet.com/fortiguard/threat-intelligence/threat-map.html)\r\n* [Threat Briefs](https://secure.fortinet.com/fortiguard)\r\n* [Ransomware](https://www.fortinet.com/solutions/ransomware.html)\r\n\r\n#### Connect With Us\r\n\r\n* [Blog](https://www.fortinet.com/blog/)\r\n* [Fuse](https://fusecommunity.fortinet.com)\r\n\r\n#### Company\r\n\r\n* [About Us](https://www.fortinet.com/corporate/about-us/about-us.html)\r\n* [Why Fortinet](https://www.fortinet.com/corporate/about-us/why-fortinet.html)\r\n* [Security Fabric](https://www.fortinet.com/corporate/about-us/security-fabric.html)\r\n* [Exec Mgmt](https://www.fortinet.com/corporate/about-us/executive-management.html)\r\n* [Careers](https://www.fortinet.com/corporate/careers.html)\r\n* [Certifications](https://www.fortinet.com/corporate/about-us/product-certifications.html)\r\n* [Events](https://www.fortinet.com/corporate/about-us/events.html)\r\n* [Industry Awards](https://www.fortinet.com/corporate/about-us/industry-awards.html)\r\n\r\n#### Contact Us\r\n\r\n* (866) 868-3678\r\n\r\nCopyright \u00c2\u00a9 2019 Fortinet, Inc. All Rights Reserved\r\n\r\n[Terms of Services](https://www.fortinet.com/corporate/about-us/legal.html) [Privacy Policy](https://www.fortinet.com/corporate/about-us/privacy.html)\r\n\r\nThis site uses cookies. Some are essential to the operation of the site; others help us improve the user experience. By continuing to use the site, you consent to the use of these cookies. To learn more about cookies, please read our [privacy policy](https://www.fortinet.com/corporate/about-us/privacy.html). \r\n\r\nAccept\r\n\r\nWe Use Cookies\r\n\r\n<a id=\"navigate\"></a>\r\n\r\n* NextRoll and our <a id=\"adroll_consent_banner_partners_link\"></a>advertising partners use cookies and similar technologies on this site and around the web that collect and use personal data (e.g. your IP address) in order to select and deliver measurable personalized advertising from this site and other advertisers in <a id=\"adroll_consent_banner_learn_more\"></a>NextRoll's network, as well as to analyze and understand your use of our websites using NextRoll's services.\r\n* By clicking \"Allow\", you consent to the placement and use of cookies and similar technologies by NextRoll and its advertising partners.\r\n* If you select \"Reject\", NextRoll will not serve you personalized advertising. You may still receive advertising that is not targeted or is served by other third parties that are not affiliated with NextRoll.\r\n* If you \"Allow\" now, you have the right to withdraw your consent at anytime by visiting <a id=\"adroll_consent_banner_optout\"></a>here OR by clicking the Ad Choices Icon on any NextRoll served ad.\r\n* To manage NextRoll's partners and learn more, click <a id=\"adroll_consent_banner_here_link\"></a>here.\r\n\r\n<a id=\"adroll_consent_reject\"></a>Reject<a id=\"adroll_consent_accept\"></a>Allow\r\n\r\nAddThis Sharing Sidebar\r\n\r\nShare to FacebookShare to TwitterShare to LinkedInShare to EmailMore AddThis Share options",
|
|
"category": "Other",
|
|
"uuid": "5e0a36fc-d324-4038-bf96-411f02de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "annotation"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--30690e7f-4606-4297-ab1d-6eba5cbf124a",
|
|
"created": "2019-12-30T17:31:27.000Z",
|
|
"modified": "2019-12-30T17:31:27.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--b822127f-e5bd-4e97-b089-6dbe41b97232",
|
|
"target_ref": "x-misp-object--37d2a0b1-f566-4c93-a735-5ff6d1fd5175"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--2efb1ad7-2788-4a6f-b36b-1943325246c3",
|
|
"created": "2019-12-30T17:31:27.000Z",
|
|
"modified": "2019-12-30T17:31:27.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--b62fec55-6a9d-42e3-a184-d3eac052641d",
|
|
"target_ref": "x-misp-object--b5887468-baeb-4798-86ee-6fe35ca86c13"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--d2dac93c-e31f-4dbb-90a9-d39c547d3100",
|
|
"created": "2019-12-30T17:31:27.000Z",
|
|
"modified": "2019-12-30T17:31:27.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--a6f1046f-03a0-46b9-b93c-f12a9754f6e3",
|
|
"target_ref": "x-misp-object--b679fec5-fade-4d7b-bec9-d0ef2d90729b"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--c9e97b7d-db15-4bbf-9e39-c01875ab8849",
|
|
"created": "2019-12-30T17:31:27.000Z",
|
|
"modified": "2019-12-30T17:31:27.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--d019110d-d966-484e-968c-95b77bd1591c",
|
|
"target_ref": "x-misp-object--55a52c5d-d32f-4845-a2cf-c0a9ef422562"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |