RDFSNIFFER

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RDFSNIFFER is a newly identified malware payload of the BOOSTWRITE variant, discovered by Mandiant investigators. Developed to tamper with NCR Corporation's “Aloha Command Center” client, it has been used maliciously by several financial attackers including FIN7. When loaded by BOOSTWRITE, RDFSNIFFER hooks into several Win32 API functions enabling it to interfere with Aloha Command Center Client sessions or hijack elements of its user-interface. It loads into the same process as the legitimate RDFClient by exploiting the utility’s DLL load order, and launches each time the ‘Aloha Command Center Client’ is executed on an impacted system. This malware allows an attacker to monitor and manipulate legitimate connections made via the Aloha Command Center Client (RDFClient), an application designed to provide visibility and system management capabilities to remote IT techs. One of the DLLs in the BOOSTWRITE variant is an instance of the CARBANAK backdoor; the other DLL is RDFSNIFFER, which enables an attacker to take control of instances of the NCR Aloha Command Center Client application and interact with victim systems through existing legitimate 2FA sessions. RDFSNIFFER also contains a backdoor component that injects commands into an active RDFClient session. Its functions include uploading files to the remote system, retrieving files from the remote system, executing commands on the remote system, and deleting files on both remote and local systems. A recent investigation by Mandiant identified a signed BOOSTWRITE sample containing RDFSNIFFER used by FIN7, although most recovered variants have been unsigned.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Carbanak Backdoor
1
The Carbanak Backdoor is a notorious malware, designed to exploit and damage computer systems. It is associated with the FIN7 threat group, also known as the "Carbanak Group", although not all usage of the Carbanak Backdoor can be directly linked to FIN7. This malicious software infiltrates systems
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
T1106
T1107
T1179
Backdoor
T1022
T1027
T1038
T1116
T1129
T1140
Payload
Rat
Exploits
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BOOSTWRITEUnspecified
1
Boostwrite is a sophisticated malware tool developed by the cybercriminal group FIN7. It operates as an in-memory-only dropper, decrypting embedded payloads using an encryption key retrieved from a remote server during runtime. The malware has been observed to contain two main payloads: CARBANAK and
CarbanakUnspecified
1
Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FIN7Unspecified
1
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the RDFSNIFFER Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques | Mandiant