Skip to content

S0653 xCaon

xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.12

Item Value
ID S0653
Associated Names
Version 1.0
Created 29 September 2021
Last Modified 16 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols xCaon has communicated with the C2 server by sending POST requests over HTTP.1
enterprise T1547 Boot or Logon Autostart Execution xCaon has added persistence via the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load which causes the malware to run each time any user logs in.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell xCaon has a command to start an interactive shell.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding xCaon has used Base64 to encode its C2 traffic.1
enterprise T1005 Data from Local System xCaon has uploaded files from victims’ machines.1
enterprise T1140 Deobfuscate/Decode Files or Information xCaon has decoded strings from the C2 server before executing commands.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography xCaon has encrypted data sent to the C2 server using a XOR key.1
enterprise T1105 Ingress Tool Transfer xCaon has a command to download files to the victim’s machine.1
enterprise T1106 Native API xCaon has leveraged native OS function calls to retrieve victim’s network adapter’s information using GetAdapterInfo() API.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery xCaon has checked for the existence of Kaspersky antivirus software on the system.1
enterprise T1016 System Network Configuration Discovery xCaon has used the GetAdaptersInfo() API call to get the victim’s MAC address.1

Groups That Use This Software

ID Name References
G0136 IndigoZebra 1