Skip to content

S0651 BoxCaon

BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon‘s name stems from similarities shared with the malware family xCaon.1

Item Value
ID S0651
Associated Names
Version 1.0
Created 27 September 2021
Last Modified 16 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution BoxCaon established persistence by setting the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load registry key to point to its executable.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell BoxCaon can execute arbitrary commands and utilize the “ComSpec” environment variable.1
enterprise T1005 Data from Local System BoxCaon can upload files from a compromised host.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging BoxCaon has created a working folder for collected files that it sends to the C2 server.1
enterprise T1041 Exfiltration Over C2 Channel BoxCaon uploads files and data from a compromised host over the existing C2 channel.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage BoxCaon has the capability to download folders’ contents on the system and upload the results back to its Dropbox drive.1
enterprise T1083 File and Directory Discovery BoxCaon has searched for files on the system, such as documents located in the desktop folder.1
enterprise T1105 Ingress Tool Transfer BoxCaon can download files.1
enterprise T1106 Native API BoxCaon has used Windows API calls to obtain information about the compromised host.1
enterprise T1027 Obfuscated Files or Information BoxCaon used the “StackStrings” obfuscation technique to hide malicious functionalities.1
enterprise T1016 System Network Configuration Discovery BoxCaon can collect the victim’s MAC address by using the GetAdaptersInfo API.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication BoxCaon has used DropBox for C2 communications.1

Groups That Use This Software

ID Name References
G0136 IndigoZebra 1