BOOSTWRITE

FIN7 is one of the most prominent financially-motivated hacking groups at the moment. Its activities were first spotted in 2015, and they are behind one of the most widely spread banking Trojans of this decade – the Carbanak Trojan. In fact, the Carbanak malware caused so much damage worldwide, that the FIN7 group is also known as the Carbanak Group. Their targets are businesses in the hospitality, retail, and restaurant sectors almost exclusively, and they often appear to target US-based businesses. Recently, the group has been spotted using two new malware families that appear to serve an interesting purpose since they are likely to be used to target systems associated with payment card processing.

The Carbanak Group Employed BOOSTWRITE Loader in Recent Attacks

The first piece of malware used in this particular campaign is BOOSTWRITE, an advanced Trojan Loader that carries an embed payload in an encrypted state. To complete the decryption and initialization process, the BOOSTWRITE loader communicates with a remote Command & Control server.

If the BOOSTWRITE loader manages to complete the steps without a hitch, it deploys two payloads to the compromised machine – the well-known Carbanak backdoor, and a new threat that has been given the name 'RDFSNIFFER.' The latter appears to be a Remote Access Trojan with limited functionality, and it seems to only work on systems that have the NCR Aloha Command Center installed on them – a toolset that IT technicians use to provide remote assistance.

While the current samples of BOOSTWRITE are loaded with these two particular payloads, it is likely that the FIN7 threat actor may change its plans in the future. Some of the BOOSTWRITE samples were signed with a valid digital certificate, and they had a rather low detection rate by anti-virus engines – applying the latest updates to your anti-virus software can increase your odds to fend off threats like the BOOSTWRITE loader greatly.