SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

BoomBox

BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.^[1]

ID: S0635

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 03 August 2021

Last Modified: 16 October 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.002	Account Discovery: Domain Account	BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.^[1]
		.003	Account Discovery: Email Account	BoomBox can execute an LDAP query to discover e-mail accounts for domain users.^[1]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	BoomBox has used HTTP POST requests for C2.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	BoomBox can establish persistence by writing the Registry value `MicroNativeCacheSvc` to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	BoomBox can decrypt AES-encrypted files downloaded from C2.^[1]
Enterprise	T1480		Execution Guardrails	BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.^[1]
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	BoomBox can upload data to dedicated per-victim folders in Dropbox.^[1]
Enterprise	T1083		File and Directory Discovery	BoomBox can search for specific files and directories on a machine.^[1]
Enterprise	T1105		Ingress Tool Transfer	BoomBox has the ability to download next stage malware components to a compromised system.^[1]
Enterprise	T1036		Masquerading	BoomBox has the ability to mask malicious data strings as PDF files.^[1]
Enterprise	T1027		Obfuscated Files or Information	BoomBox can encrypt data using AES prior to exfiltration.^[1]
Enterprise	T1218	.011	Signed Binary Proxy Execution: Rundll32	BoomBox can use RunDLL32 for execution.^[1]
Enterprise	T1082		System Information Discovery	BoomBox can enumerate the hostname, domain, and IP of a compromised host.^[1]
Enterprise	T1033		System Owner/User Discovery	BoomBox can enumerate the username on a compromised host.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	BoomBox has gained execution through user interaction with a malicious file.^[1]
Enterprise	T1102		Web Service	BoomBox can downloaded files from Dropbox using a hardcoded access token.^[1]

Groups That Use This Software

ID	Name	References
G0016	APT29	^[1]

References

MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.