BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | Boot or Logon Autostart Execution |
BoxCaon established persistence by setting the |
|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.[1] |
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
BoxCaon has created a working folder for collected files that it sends to the C2 server.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
BoxCaon uploads files and data from a compromised host over the existing C2 channel.[1] |
|
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.[1] |
| Enterprise | T1083 | File and Directory Discovery |
BoxCaon has searched for files on the system, such as documents located in the desktop folder.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1106 | Native API |
BoxCaon has used Windows API calls to obtain information about the compromised host.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
BoxCaon can collect the victim's MAC address by using the |
|
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication | |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0136 | IndigoZebra |