Discover and read the best of Twitter Threads about #BOOSTWRITE
Most recents (1)
π€π° Mahalo FIN7: fireeye.com/blog/threat-reβ¦
β’ On several on-going investigations we saw #FIN7 trying to retool ππΌ
β’ Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
β’ Hunting for #BOOSTWRITE and #RDFSNIFFER π³
β’ On several on-going investigations we saw #FIN7 trying to retool ππΌ
β’ Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
β’ Hunting for #BOOSTWRITE and #RDFSNIFFER π³
.@josh__yoder & I stayed up much of the night to get this blog out.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5β¦
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5β¦
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules.
#FIN7's code signing certificate is purportedly from Mango Enterprise Limited in the UK.
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft π: maps.app.goo.gl/MbznDeJPHJr4n5β¦
We analyze & discuss how to find the certificate anomalies!
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft π: maps.app.goo.gl/MbznDeJPHJr4n5β¦
We analyze & discuss how to find the certificate anomalies!
