Check Point Research analyzes how BoxedApp commercial packers are increasingly abused to deploy multiple malware families, leveraging features like Virtual Storage, Virtual Processes, and API hooking to hide payloads and complicate analysis. The report focuses on BoxedApp Packer, BxILMerge, and BoxedApp SDK internals, their impact on static/dynamic detection, and offers Yara signatures to help identify the packers. Hashtags: #BoxedApp #BoxedAppPacker #BxILMerge #BoxedAppSDK #VirtualStorage #PEInjection #Deobfuscate/Decode #QuasarRAT #NanoCore #NjRAT #Neshta #AsyncRAT #XWorm #LodaRAT #RevengeRAT #AgentTesla #LockBit #RedLine #Remcos #ZXShell #Ramnit
Keypoints
- BoxedApp products are being increasingly abused to package and deploy multiple malware families, notably RATs and stealers, with a focus on financial and government targets.
- The main abused products are BoxedApp Packer, BxILMerge, and BoxedApp SDK, which enable Virtual Storage (Virtual File System/Virtual Registry), Virtual Processes (PE Injection), and API hooking to create custom, hard-to-detect packers.
- Malware packed with BoxedApp often runs entirely in memory, preserving a virtual environment and compressing embedded content (e.g., Zlib-DEFLATE) to evade static detection.
- VirusTotal analysis over three years shows about 25% of BoxedApp-packed samples are flagged as malicious by behavior-based verdicts, illustrating the abuse trend; the abuse appears worldwide with attackers targeting financial and government sectors.
- Observed malware families include QuasarRAT, NanoCore, NjRAT, Neshta, AsyncRAT, XWorm, LodaRAT, RevengeRAT, AgentTesla, LockBit, RedLine, Remcos, ZXShell, and Ramnit.
- The report provides deep internals on how BoxedApp packs modify binaries, including TLS callbacks driving Virtual Storage initialization and in-memory decompression, and how unpacking can be performed for analysis.
- Yara signatures are provided to detect BoxedApp packers and distinguish between BoxedApp Packer, BxILMerge, and BoxedApp SDK packaging styles.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – The BoxedApp packaging compresses Virtual Storage content (e.g., “Zlib – DEFLATE”) and keeps I/O in memory, reducing disk artifacts: “All I/O to Virtual Storage stays only in memory (no file is dropped to disk), e.g., DLL loading from Virtual Storage.”
- [T1140] Deobfuscate/Decode Files or Information – Decompression and runtime initialization occur inside the Virtual Storage during execution: “the TLS Callback is responsible…initializing Virtual Storage and possibly decompressing its content.”
- [T1055.012] Process Injection – BoxedApp creates Virtual Processes by injecting the original PE into remote memory via a suspended process and a method using VirtualAllocEx/WriteProcessMemory/CreateRemoteThreadEx: “PE Injection is similar to PE Hollowing without unmapping the original main module.”
Indicators of Compromise
- [File] Embedded/packed assets in Virtual Storage – Examples include the .bxpck section and core BoxedApp SDK DLLs such as bxsdk32.dll and bxsdk64.dll
- [File] BoxedApp SDK helper components – Examples include BoxedAppSDK_AppDomainManager.dll and BoxedAppSDKThunk.dll
- [Hash] File hashes (VirusTotal references) – 77c30d1e3f12151b4e3d3090355c8ce06582f4d0dd3cdb395caa836bd80a97f6, c76d2e396d654f6f92ea7cd58d43e739b9f406529369709adece23638436cd25, and 1 more hash (as seen in VirusTotal links)
Read more: https://research.checkpoint.com/2024/inside-the-box-malwares-new-playground/