Cybercriminals cannot just will malware into attacking operating systems. They need help, and tools like BOOSTWRITE can make things much easier. This infection is a Trojan, and so it slithers into operating systems silently, but once inside, it is meant to execute additional threats. These are embedded within the Trojan itself, but they are encrypted, and that is why the Trojan connects to a remote server. Only if a decryptor is obtained can the infection be executed and, essentially, “drop” additional malware. To make things worse, the threat tries to conceal itself, and, unfortunately, it has been known to succeed at that. Overall, this Trojan is highly dangerous and powerful, and victims need to remove it instantly. Of course, deleting BOOSTWRITE is not so simple, and getting rid of the additionally dropped infection could take precedence over the removal of the Trojan itself.
BOOSTWRITE is just an instrument. It is not an infection that actually plays the most important role in specific attacks. That being said, it is the root of the attack, and if you pull it out right away, you might evade the attacks of those infections that can do serious damage. Removing BOOSTWRITE is not an easy task, however, because it is embedded into memory. Also, the dropped can be signed using a signature of a legitimate Certificate Authority. Such a signature can make it seem as if the dropper is harmless, and, therefore, traditional antivirus tools might ignore it after execution. Needless to say, if the threat can successfully invade an operating system and then hide itself, the attackers have a door wide open. According to the analysts at FireEye, the dropper has been linked to the FIN7 group, also known as Carbanak, and it is possible that the cybercriminals within this group have also created the infection. Unsurprisingly, the dropper has been used to execute malware linked to this hacking group.
Probably the most impressive piece of malware that BOOSTWRITE has been known to drop is a banking Trojan called CARBANAK. As you can see, this infection has the same name as the hacking group itself. This dangerous infection has been terrorizing banks since at least 2014, and although arrests have been made, the Trojan continues to make money for cybercriminals. This malware has been used to steal money from banks, payment platforms, and even physical ATMs. The Trojan could help attackers hijack the machines and make them surrender the cash inside, which can then be collected by the attackers who are in close proximity. How successful was this malware in the past? Some say that up to 1 billion US Dollars could have been stolen with the help of the CARBANAK banking Trojan. If that wasn’t enough, BOOSTWRITE has also introduced a remote access tool (RAT), RDFSNIFFER, to ensure successful attacks.
RDFSNIFFER is drooped by BOOSTWRITE and can be used to load itself into the RDFClient – which belongs to the NCR Corporation – process. The RAT can inject commands, and that might make it possible for the attackers to take some control over the Aloha Command Center Client application. This application manages and troubleshoots those systems that are responsible for payment card processing. Needless to say, this could give the attackers yet another chance to steal confidential information and, quite possibly, steal even more money for themselves. Other tools could be embedded within the BOOSTWRITE dropper, and they could help cybercriminals act in other ways too.
As it turns out, traditional security options are not always sufficient when it comes to such infections as BOOSTWRITE. It can take on legitimate signatures and evade detection and, eventually, removal, which can lead to the infiltration of the threats that can do serious damage. Individual users are unlikely to be attacked by this malware, but banks and other financial institutions need to be extremely cautious about it because once the threat slithers in, it can be extremely damaging. These banks and financial institutions need to work closely with malware researchers and cybersecurity experts to ensure that they are able to protect their assets and the financial security of their customers appropriately.
Carr, N., Goody, K., Kennelly, J., Nuce, J., Runnels, S., and Yoder, J. October 10, 2019. Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. FireEye.