BOOSTWRITE is a malicious loader that is typically launched via abuse of the DLL search order of applications used by FIN7. It affects Windows operating systems and has been known to use the DWriteCreateFactory function to load additional modules.
BOOSTWRITE payloads are encoded using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector to evade detection. A 32-byte long multi-XOR key is used to decode data inside the payload. BOOSTWRITE has also been known to exploit the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.
BOOSTWRITE Malware Capabilities
- BOOSTWRITE may attempt to make files or executables difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating their contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Ways to Mitigate BOOSTWRITE Malware Attacks Capabilities
- The Boostwrite malware attack can be mitigated by monitoring DLL module loads, limiting DLL module loads to safe directories, and detecting file obfuscation. Detecting the action of deobfuscating or decoding files or information may be difficult, but process and command-line monitoring can help detect potentially malicious behavior.