What is FIN7 Uses a Sophisticated Malware Dropper Called BOOSTWRITE?
It was confirmed that a recently discovered Trojan titled BOOSTWRITE was developed by a well-known group of cybercriminals called FIN7. Hackers from this group are known for creating sophisticated Trojans, backdoors, and other threats that help them attack various systems for financial gain. FIN7 has been around for a few years now, and it does not look like these cybercriminals are going to stop their malicious activities any time soon. Sadly, it seems their tools are becoming more vicious and difficult to detect. If you want to know how their latest Trojan works and how it could enter a system, we invite you to read the rest of this article. Also, if you have any questions about BOOSTWRITE, you could leave us a comment below.
Where does BOOSTWRITE come from?
As said earlier, BOOSTWRITE is a sophisticated Trojan from the infamous group of hackers known as FIN7. Their threats are often targeted at financial institutions and other companies that may have information or access to accounts that could provide them financial gain. Cybersecurity specialists say that files carrying the malware might appear to have a legit digital signature. Consequently, the threat’s launchers might not raise any suspicion. Also, this may allow the malware to avoid detection by traditional antivirus tools. If the malicious application slips in, it should abuse the DLL search order of application that is normally used to load a legitimate Dwrite.dll file. By abusing the DLL search order of application, the malware makes it launch a malicious file instead of running the legitimate DWrite.dll file.
How does BOOSTWRITE work?
According to cybersecurity specialists, BOOSTWRITE is a dropper. It means its main task is to infiltrate a system and to drop other malicious applications on it. The researched samples of this Trojan carried a couple of threats called CARBANAK and RDFSNIFFER.
CARBANAK is a malicious backdoor application that has been used not only by the FIN7 hackers but also by many other cybercriminals. It is reported that it has been used to perpetrate millions of dollars in financial crimes, and it would seem it is going to cause even more damage as cybercriminals continue to use it. As for the second application called RDFSNIFFER, it looks like it was created to attack a specific target. To be more precise, the malware attacks the Aloha Command Center client application of a company known as NCR Corporation. Also, this tool seems to contain a backdoor element that may allow hackers behind the malware to access targeted systems remotely and execute commands like upload, download, execute, or delete data. Therefore, specialists say it falls under the classification of Remote Access Trojans.
It is vital to stress that BOOSTWRITE is still being upgraded, which means it might take time to stop it from spreading. Also, it is likely that its new versions could drop other threats besides CARBANAK and RDFSNIFFER. To avoid such infections, cybersecurity specialists recommend identifying and removing vulnerabilities that your systems could have. Plus, it is essential to use an antimalware tool that would be capable of detecting Trojans and other malicious applications. Another good idea for various organizations and businesses would be educating their employees about cyber threats and ways to avoid them.
How to remove BOOSTWRITE?
It seems FIN7 keeps upgrading BOOSTWRITE to make sure it does not get detected, and, so far, it works. Thus, identifying the threat could be extremely complicated. Not to mention that such sophisticated malicious applications often have a feature that allows erasing them without leaving any trace. Meaning, the malware could be on a system as long as its creators need and then leave it without a victim noticing anything. In any case, when dealing with Trojans and other vicious threats alike, it is best to leave the task to reliable antimalware software and cybersecurity experts.
100% FREE spyware scan and
tested removal of FIN7 Uses a Sophisticated Malware Dropper Called BOOSTWRITE*
0 Comments.