BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[1]

ID: S0651
Platforms: Windows
Contributors: Pooja Natarajan, NEC Corporation India; Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 27 September 2021
Last Modified: 16 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1547 Boot or Logon Autostart Execution

BoxCaon established persistence by setting the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load registry key to point to its executable.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.[1]

Enterprise T1005 Data from Local System

BoxCaon can upload files from a compromised host.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

BoxCaon has created a working folder for collected files that it sends to the C2 server.[1]

Enterprise T1041 Exfiltration Over C2 Channel

BoxCaon uploads files and data from a compromised host over the existing C2 channel.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.[1]

Enterprise T1083 File and Directory Discovery

BoxCaon has searched for files on the system, such as documents located in the desktop folder.[1]

Enterprise T1105 Ingress Tool Transfer

BoxCaon can download files.[1]

Enterprise T1106 Native API

BoxCaon has used Windows API calls to obtain information about the compromised host.[1]

Enterprise T1027 Obfuscated Files or Information

BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.[1]

Enterprise T1016 System Network Configuration Discovery

BoxCaon can collect the victim's MAC address by using the GetAdaptersInfo API.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

BoxCaon has used DropBox for C2 communications.[1]

Groups That Use This Software

ID Name References
G0136 IndigoZebra