S0653 xCaon
xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.12
| Item | Value |
|---|---|
| ID | S0653 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 September 2021 |
| Last Modified | 16 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | xCaon has communicated with the C2 server by sending POST requests over HTTP.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | xCaon has added persistence via the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load which causes the malware to run each time any user logs in.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | xCaon has a command to start an interactive shell.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | xCaon has used Base64 to encode its C2 traffic.1 |
| enterprise | T1005 | Data from Local System | xCaon has uploaded files from victims’ machines.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | xCaon has decoded strings from the C2 server before executing commands.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | xCaon has encrypted data sent to the C2 server using a XOR key.1 |
| enterprise | T1105 | Ingress Tool Transfer | xCaon has a command to download files to the victim’s machine.1 |
| enterprise | T1106 | Native API | xCaon has leveraged native OS function calls to retrieve victim’s network adapter’s information using GetAdapterInfo() API.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | xCaon has checked for the existence of Kaspersky antivirus software on the system.1 |
| enterprise | T1016 | System Network Configuration Discovery | xCaon has used the GetAdaptersInfo() API call to get the victim’s MAC address.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0136 | IndigoZebra | 1 |