News: 1717502409

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Cybercrooks get cozy with BoxedApp to dodge detection

(2024/06/04)


Malware miscreants are increasingly showing a penchant for abusing legitimate, commercial packer apps to evade detection.

Jiří Vinopal, threat researcher at Check Point Research, says the trend has become especially popular over the past 12 months, and BoxedApp is one of the products that appear to be among the most favored.

Some of the most prevalent malware strains in the world are abusing BoxedApp to evade static analysis, the researcher claims. The vast majority are remote access trojans (RATs), such as [1]Agent Tesla, AsyncRAT , and [2]QuasarRat , although other cases have involved ransomware strains such as [3]LockBit variants and infostealers such as [4]Redline .

[5]

Chart depicts spike in malicious BoxedApp samples submitted to VirusTotal, courtesy of Check Point Research – click to enlarge

BoxedApp has been around for several years but the abuse of its SDK shot up from March 2023. It offers a range of benefits for attackers, a variety that Check Point Research believes outweigh the negatives.

Among the more notable features BoxedApp offers, ones that would interest bad actors especially are:

Virtual Storage

Virtual Processes

Virtual Registry

Application security expert Sean Wright told us: "The virtual processes may make it harder for anti-malware and other endpoint protection systems to detect the malware running via the BoxedApp SDK. Many of these products rely on the fact these processes run directly on the system as opposed to a virtualized process, which could then be hidden from the protection tooling.

"An easier way to perhaps think of this is a process running in a virtual machine, although it would likely be a bit more nuanced than this. So, from an attacker perspective, this helps prevent detection which would be one of their primary goals. The longer they go undetected the more data they could potentially gain access to."

[6]

BoxedApp programs do tend to generate a high false positive rate when scanned by antivirus solutions, according to Check Point Research. Even non-malicious apps packed using BoxedApp, such as a simple "Hello World" program, are flagged up by many antivirus engines, the report adds.

[7]

[8]

An analysis of 1,200 genuinely malicious samples submitted to VirusTotal – the Google-owned malware platform that shows which vendors' solutions push alerts for different payloads – found that 25 percent were flagged up when packed using BoxedApp.

[9]Snowflake denies miscreants melted its security to steal data from top customers

[10]Cyber cops plead for info on elusive Emotet mastermind

[11]New Nork-ish cyberespionage outfit uncovered after three years

[12]FlyingYeti phishing crew grounded after abominable Ukraine attacks

However, this can either be seen as a negative or a positive, depending on your outlook. While BoxedApp-packaged malware has a decent enough chance of triggering warnings in an organization's SOC, it can also play into attackers' hands as security teams may disable alerts relating to applications running the BoxedApp SDK.

"My advice to organizations is to limit the use of BoxedApp apps if possible," Wright said. "If you need to use these types of applications, look to leveraging controls such as signing of these applications, which as [Check Point Research's] writeup indicates can also help reduce the false positive rates."

[13]

Chart depicts malicious BoxedApp samples by country submitting to VirusTotal, courtesy of Check Point Research – click to enlarge

When looking deeper into the [14]VirusTotal submissions, Vinopal found that the majority came from Turkey, the US, and Germany, although small percentages were reported from countries across the world.

"Most of the attributed malicious samples were used in attacks against financial institutions and government industries," the researcher blogged. "Using BoxedApp products to pack the malicious payloads enabled the attackers to lower the detection rate, harden their analysis, and use the advanced capabilities of BoxedApp SDK, e.g. Virtual Storage, that would normally take a long time to develop from scratch."

The Register approached BoxedApp for comment but it didn't immediately respond.

[15]

For those looking for ways to better detect abuses of BoxedApp, Check Point Research provides a set of Yara signatures in its [16]report to help detect the packer while pulling out all the details and binary hashes of the packed app. ®

Get our [17]Tech Resources



[1] https://www.theregister.com/2022/09/28/quantum_builder_agent_tesla_rat/

[2] https://www.theregister.com/2024/05/31/new_norkish_cyberespionage_outfit_uncovered/

[3] https://www.theregister.com/2024/05/07/alleged_lockbit_kingpin_charged_sanctioned/

[4] https://www.theregister.com/2024/02/29/infostealers_increased_use/

[5] https://regmedia.co.uk/2024/06/03/cpr_boxedapp_detections_1.png

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zl86JTOIvytDemTeTcB2cgAAAJQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zl86JTOIvytDemTeTcB2cgAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zl86JTOIvytDemTeTcB2cgAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2024/05/31/snowflake_breach_report/

[10] https://www.theregister.com/2024/05/31/cyber_cops_plead_for_info/

[11] https://www.theregister.com/2024/05/31/new_norkish_cyberespionage_outfit_uncovered/

[12] https://www.theregister.com/2024/05/31/crowdforce_flyingyeti_ukraine/

[13] https://regmedia.co.uk/2024/06/03/cpr_boxedapp_countries.png

[14] https://www.theregister.com/2023/04/25/google_ai_security/

[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zl86JTOIvytDemTeTcB2cgAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[16] https://research.checkpoint.com/2024/inside-the-box-malwares-new-playground/

[17] https://whitepapers.theregister.com/



Ian Johnston

Luckily Linux ensures that all applications used shared libraries, which can be kept up to date and any problems sorted very quickly, without individual authors and packagers having to check constantly.

Oh, snap.

"And kids... learn something from Susie and Eddie.
If you think there's a maniacal psycho-geek in the
basement:
1) Don't give him a chance to hit you on the
head with an axe!
2) Flee the premises... even if you're in your
underwear.
3) Warn the neighbors and call the police.
But whatever else you do... DON'T GO DOWN IN THE DAMN BASEMENT!"
-- Saturday Night Live meets Friday the 13th