BOOSTWRITE

Boostwrite is a sophisticated malware tool developed by the cybercriminal group FIN7. It operates as an in-memory-only dropper, decrypting embedded payloads using an encryption key retrieved from a remote server during runtime. The malware has been observed to contain two main payloads: CARBANAK and RDFSNIFFER. RDFSNIFFER was specifically developed to tamper with NCR Corporation's "Aloha Command Center" client. Boostwrite has been continually updated by FIN7, with small changes made to evade traditional antivirus detection. One such example includes a variant of Boostwrite signed by a valid Certificate Authority. The malware was first identified in 2019, with its PE compilation time recorded on May 20th of that year. Over the next year, until May 21, 2020, the validity window for the signed Boostwrite's "mango ENTERPRISE LIMITED" certificate remained open. The signed Boostwrite sample displayed a PE Authenticode anomaly, where the PE linker timestamp predated the Authenticode validity period. Notably, the evasion techniques used by FIN7 were effective against both traditional detection methods and machine learning binary classification engines. To aid in the identification and detection of Boostwrite, Yara rules have been developed based on its unique executable traits. These include rules targeting Boostwrite's export DLL name (DWriteImpl.dll) and PDB path. However, it's important to note that due to the ongoing adaptations made by FIN7, these rules may need to be regularly updated to remain effective. Despite the challenges, understanding Boostwrite's operation and identifying its unique characteristics are crucial steps in combating this persistent cybersecurity threat.