1. Home
  2. Software
  3. xCaon

xCaon

xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.[1][2]

ID: S0653
Type: MALWARE
Platforms: Windows
Contributors: Pooja Natarajan, NEC Corporation India; Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 29 September 2021
Last Modified: 16 October 2021
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

xCaon has communicated with the C2 server by sending POST requests over HTTP.[1]

Enterprise T1547 Boot or Logon Autostart Execution

xCaon has added persistence via the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load which causes the malware to run each time any user logs in.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

xCaon has a command to start an interactive shell.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

xCaon has used Base64 to encode its C2 traffic.[1]
Enterprise T1005 Data from Local System

xCaon has uploaded files from victims' machines.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

xCaon has decoded strings from the C2 server before executing commands.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

xCaon has encrypted data sent to the C2 server using a XOR key.[1]

Enterprise T1105 Ingress Tool Transfer

xCaon has a command to download files to the victim's machine.[1]
Enterprise T1106 Native API

xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

xCaon has checked for the existence of Kaspersky antivirus software on the system.[1]
Enterprise T1016 System Network Configuration Discovery

xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address.[1]

Groups That Use This Software

ID Name References
G0136 IndigoZebra

[1]

References

  1. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  1. Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.