RDFSNIFFER

Malware updated 5 months ago (2024-05-04T17:17:50.267Z)
Download STIX
Preview STIX
RDFSNIFFER is a newly identified malware payload of the BOOSTWRITE variant, discovered by Mandiant investigators. Developed to tamper with NCR Corporation's “Aloha Command Center” client, it has been used maliciously by several financial attackers including FIN7. When loaded by BOOSTWRITE, RDFSNIFFER hooks into several Win32 API functions enabling it to interfere with Aloha Command Center Client sessions or hijack elements of its user-interface. It loads into the same process as the legitimate RDFClient by exploiting the utility’s DLL load order, and launches each time the ‘Aloha Command Center Client’ is executed on an impacted system. This malware allows an attacker to monitor and manipulate legitimate connections made via the Aloha Command Center Client (RDFClient), an application designed to provide visibility and system management capabilities to remote IT techs. One of the DLLs in the BOOSTWRITE variant is an instance of the CARBANAK backdoor; the other DLL is RDFSNIFFER, which enables an attacker to take control of instances of the NCR Aloha Command Center Client application and interact with victim systems through existing legitimate 2FA sessions. RDFSNIFFER also contains a backdoor component that injects commands into an active RDFClient session. Its functions include uploading files to the remote system, retrieving files from the remote system, executing commands on the remote system, and deleting files on both remote and local systems. A recent investigation by Mandiant identified a signed BOOSTWRITE sample containing RDFSNIFFER used by FIN7, although most recovered variants have been unsigned.
Description last updated: 2024-05-04T17:16:46.232Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the RDFSNIFFER Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more