Cyber Security

BOOSTWRITE Malware Report: What Is BOOSTWRITE and How Does It Work?

BOOSTWRITE is a malicious loader that is typically launched via abuse of the DLL search order of applications used by FIN7. It affects Windows operating systems and has been known to use the DWriteCreateFactory function to load additional modules. 

BOOSTWRITE payloads are encoded using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector to evade detection. A 32-byte long multi-XOR key is used to decode data inside the payload. BOOSTWRITE has also been known to exploit the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.

BOOSTWRITE Malware Capabilities

  • BOOSTWRITE may attempt to make files or executables difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating their contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Ways to Mitigate BOOSTWRITE Malware Attacks Capabilities

  • The Boostwrite malware attack can be mitigated by monitoring DLL module loads, limiting DLL module loads to safe directories, and detecting file obfuscation. Detecting the action of deobfuscating or decoding files or information may be difficult, but process and command-line monitoring can help detect potentially malicious behavior.
Show More

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Back to top button