BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.[1]

ID: S0635
Platforms: Windows
Version: 1.0
Created: 03 August 2021
Last Modified: 18 January 2022

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.[1]

.003 Account Discovery: Email Account

BoomBox can execute an LDAP query to discover e-mail accounts for domain users.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BoomBox has used HTTP POST requests for C2.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

BoomBox can establish persistence by writing the Registry value MicroNativeCacheSvc to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

BoomBox can decrypt AES-encrypted files downloaded from C2.[1]

Enterprise T1480 Execution Guardrails

BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

BoomBox can upload data to dedicated per-victim folders in Dropbox.[1]

Enterprise T1083 File and Directory Discovery

BoomBox can search for specific files and directories on a machine.[1]

Enterprise T1105 Ingress Tool Transfer

BoomBox has the ability to download next stage malware components to a compromised system.[1]

Enterprise T1036 Masquerading

BoomBox has the ability to mask malicious data strings as PDF files.[1]

Enterprise T1027 Obfuscated Files or Information

BoomBox can encrypt data using AES prior to exfiltration.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

BoomBox can use RunDLL32 for execution.[1]

Enterprise T1082 System Information Discovery

BoomBox can enumerate the hostname, domain, and IP of a compromised host.[1]

Enterprise T1033 System Owner/User Discovery

BoomBox can enumerate the username on a compromised host.[1]

Enterprise T1204 .002 User Execution: Malicious File

BoomBox has gained execution through user interaction with a malicious file.[1]

Enterprise T1102 Web Service

BoomBox can download files from Dropbox using a hardcoded access token.[1]

Groups That Use This Software

ID Name References
G0016 APT29