FIN7 Threat Group Adds Two New Tools to Its Arsenal

  • The FIN7 threat group has added two new tools to its malware arsenal, namely BOOSTWRITE and RDFSNIFFER.
  • BOOSTWRITE is a dropper that decrypts and loads two payload DLLs, namely CARBANAK backdoor and RDFSNIFFER.

What’s the matter?

Researchers from FireEye have observed that the FIN7 threat group has added two new tools to its malware arsenal, namely BOOSTWRITE and RDFSNIFFER.


BOOSTWRITE is an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. Researchers noted that one of the samples analyzed by them was signed by a valid Certificate Authority.

  • This tool is designed to be launched via abuse of the DLL search order of applications that load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services.
  • Once loaded, `DWrite.dll` connects to a hard-coded IP and port from which it retrieves a decryption key and initialization vector (IV) to decrypt two embedded payload DLLs.
  • Upon which, BOOSTWRITE decrypts and loads two payload DLLs - CARBANAK backdoor and RDFSNIFFER.

“To accomplish this task, the malware first generates a random file name to be used as a text log under the current user's %TEMP% directory; this filename starts with ~rdf and is followed by a set of random numbers. Next, the malware scans its own image to find the location of a 32-byte long multi-XOR key which is used to decode data inside its body,” researchers noted.


RDFSNIFFER is a payload DLL loaded by BOOSTWRITE.

  • This payload allows an attacker to monitor and tamper with legitimate connections made via NCR Corporation’s ‘Aloha Command Center Client’ (RDFClient).
  • RDFSNIFFER loads into the same process as the legitimate RDFClient by exploiting the utility’s DLL load order, launching each time the ‘Aloha Command Center Client’ is executed on an impacted system.
  • This payload also contains a backdoor component that enables it to inject commands into an active RDFClient session.
  • The commands include upload, download, execute and/or delete arbitrary files.

“While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements,” researchers concluded.

Cyware Publisher