Severity
High
Analysis Summary
A couple of months ago, enSilo’s endpoint protection platform blocked malicious payloads running in legitimate Microsoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load their own malicious DLL. Some of the samples in the environment matched ones described in a recent publication by FireEye about FIN7’s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the samples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor.
Windows OS uses a common method to look for required DLLs to load into a program. Adversaries may use this behavior to cause the program to load a malicious DLL, a technique known as DLL search order hijacking (or binary planting).
The abused application in this case is FaceFodUninstaller.exe. It exists on a clean OS installation starting from Windows 10 RS4 (1803) at the “%WINDR%\System32\WinBioPlugIns” folder. The executable is dependent on winbio.dll, which is usually found in the parent directory (“%WINDR%\System32”).
Impact
Exposure of sensitive information
Indicators of Compromise
MD5
- 21e79ae1d7a5f020c171f412cbb92253
- a8ba59eebd4858b8b448f13a436edf60
- 4b32521cc8a8c050fbc55b3f9d05c84d
- 27370ffd32942337596785ec737a4e46
SHA-256
- 42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb
- 7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7
- 77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a
- c1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372
SHA1
- ccd96a0b38d2edd14e290c597a7371e412429515
- 02216bbd2633b23be575230bb1d0fe176ea88b4f
- ff62e30eb38116b3273543f9ace038c4d0003f9c
- a69d0ffed73198235c73f412a81dd2f4d12aa152
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.