BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1547 | 启动或登录自动启动执行 |
BoxCaon established persistence by setting the |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
BoxCaon has created a working folder for collected files that it sends to the C2 server.[1] |
| Enterprise | T1083 | 文件和目录发现 |
BoxCaon has searched for files on the system, such as documents located in the desktop folder.[1] |
|
| Enterprise | T1106 | 本机API |
BoxCaon has used Windows API calls to obtain information about the compromised host.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
BoxCaon can collect the victim's MAC address by using the |
|
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication | |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1041 | 通过C2信道渗出 |
BoxCaon uploads files and data from a compromised host over the existing C2 channel.[1] |
|
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0136 | IndigoZebra |