FIN7 is one of the most prominent financially-motivated hacking groups at the moment. Its activities were first spotted in 2015, and they are behind one of the most widely spread banking Trojans of this decade – the Carbanak Trojan. In fact, the Carbanak malware caused so much damage worldwide, that the FIN7 group is also known as the Carbanak Group. Their targets are businesses in the hospitality, retail, and restaurant sectors almost exclusively, and they often appear to target US-based businesses. Recently, the group has been spotted using two new malware families that appear to serve an interesting purpose since they are likely to be used to target systems associated with payment card processing.
The Carbanak Group Employed BOOSTWRITE Loader in Recent Attacks
The first piece of malware used in this particular campaign is BOOSTWRITE, an advanced Trojan Loader that carries an embed payload in an encrypted state. To complete the decryption and initialization process, the BOOSTWRITE loader communicates with a remote Command & Control server.
If the BOOSTWRITE loader manages to complete the steps without a hitch, it deploys two payloads to the compromised machine – the well-known Carbanak backdoor, and a new threat that has been given the name 'RDFSNIFFER.' The latter appears to be a Remote Access Trojan with limited functionality, and it seems to only work on systems that have the NCR Aloha Command Center installed on them – a toolset that IT technicians use to provide remote assistance.
While the current samples of BOOSTWRITE are loaded with these two particular payloads, it is likely that the FIN7 threat actor may change its plans in the future. Some of the BOOSTWRITE samples were signed with a valid digital certificate, and they had a rather low detection rate by anti-virus engines – applying the latest updates to your anti-virus software can increase your odds to fend off threats like the BOOSTWRITE loader greatly.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to BOOSTWRITE may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.