Criminals are adept at hiding malware under a legitimate wrapper.
In the world of cybercrime, a new disturbing trend is gaining momentum — attackers are increasingly using BoxedApp's commercial products to hide and distribute malware. In recent months, analysts have recorded a sharp increase in the number of attacks using these tools.
Over the past year, the number of malware packaged in BoxedApp has grown significantly. The main targets were financial and government organizations around the world. Among the most common types of malware are remote access botnets, infostealers, and ransomware programs like LockBit. Half of the samples come from Turkey, the United States, and Germany.
Most often, hackers used two BoxedApp products-Packer and BxILMerge, which are based on a powerful SDK. These solutions open up access to a whole range of advanced features, simplifying the spread of viruses.
Key features of the BoxedApp SDK include a virtual file system, a virtual registry, creating virtual processes, intercepting system APIs, packaging executable files, and building a single package with all dependencies. An important advantage is the ability to organize all I / O only in RAM, leaving no traces on disk.
Using BoxedApp products can significantly reduce the probability of detection by antivirus programs, prevent program analysis, and give you access to advanced features that are usually difficult to implement on your own.
At the same time, BoxedApp's packaging algorithms are well-known, which simplifies their static detection. Virtual processes and API interception may also be suspicious. Another problem is the high frequency of false positives of antivirus programs for safe programs.
Experts examined about 1,200 samples packed by BoxedApp and sent to VirusTotal over 3 years. A quarter of them were found to be malicious based on behavioral analysis. The growth of malicious use of BoxedApp is also indicated by the dispatch schedule.
When packaged, the program is converted into a single, self-contained PE file. The original imports are destroyed and restored during operation via a TLS callback, which also initializes the virtual storage and unpacks its contents.
Dependencies of the original application can be part of a proprietary virtual storage system — a virtual file system and a virtual registry. BoxedApp mechanisms intercept I / O operations by directing them to virtual space in memory and not creating files on disk.
Structure of a packaged native PE file:
Original PE with destroyed imports (in the.main section)
Virtual files/registry (in the section.bxpck)
BoxedApp SDK libraries (bxsdk*, BoxedAppSDK_, ThunkUtils, TLSSupport*)
Structure of packaged.NET PE after Packer:
Native Stub file DotNetAppStub
The original one.NET PE (in the section.bxpck)
Virtual storage (in the section.bxpck)
BoxedApp SDK Libraries
The BxILMerge product combines.NET builds, libraries, and any other files into a single managed module using the BoxedApp mechanisms.
Thanks to the analysis of BoxedApp binary structures, experts have proposed methods for unpacking original files and extracting the contents of virtual storage, including a dynamic approach with a process dump from memory.
The Yara signatures provided and the knowledge of BoxedApp's internal mechanisms will improve the detection of malware hidden using these products, which are rapidly gaining popularity among cybercriminals around the world.
In the world of cybercrime, a new disturbing trend is gaining momentum — attackers are increasingly using BoxedApp's commercial products to hide and distribute malware. In recent months, analysts have recorded a sharp increase in the number of attacks using these tools.
Over the past year, the number of malware packaged in BoxedApp has grown significantly. The main targets were financial and government organizations around the world. Among the most common types of malware are remote access botnets, infostealers, and ransomware programs like LockBit. Half of the samples come from Turkey, the United States, and Germany.
Most often, hackers used two BoxedApp products-Packer and BxILMerge, which are based on a powerful SDK. These solutions open up access to a whole range of advanced features, simplifying the spread of viruses.
Key features of the BoxedApp SDK include a virtual file system, a virtual registry, creating virtual processes, intercepting system APIs, packaging executable files, and building a single package with all dependencies. An important advantage is the ability to organize all I / O only in RAM, leaving no traces on disk.
Using BoxedApp products can significantly reduce the probability of detection by antivirus programs, prevent program analysis, and give you access to advanced features that are usually difficult to implement on your own.
At the same time, BoxedApp's packaging algorithms are well-known, which simplifies their static detection. Virtual processes and API interception may also be suspicious. Another problem is the high frequency of false positives of antivirus programs for safe programs.
Experts examined about 1,200 samples packed by BoxedApp and sent to VirusTotal over 3 years. A quarter of them were found to be malicious based on behavioral analysis. The growth of malicious use of BoxedApp is also indicated by the dispatch schedule.
When packaged, the program is converted into a single, self-contained PE file. The original imports are destroyed and restored during operation via a TLS callback, which also initializes the virtual storage and unpacks its contents.
Dependencies of the original application can be part of a proprietary virtual storage system — a virtual file system and a virtual registry. BoxedApp mechanisms intercept I / O operations by directing them to virtual space in memory and not creating files on disk.
Structure of a packaged native PE file:
Original PE with destroyed imports (in the.main section)
Virtual files/registry (in the section.bxpck)
BoxedApp SDK libraries (bxsdk*, BoxedAppSDK_, ThunkUtils, TLSSupport*)
Structure of packaged.NET PE after Packer:
Native Stub file DotNetAppStub
The original one.NET PE (in the section.bxpck)
Virtual storage (in the section.bxpck)
BoxedApp SDK Libraries
The BxILMerge product combines.NET builds, libraries, and any other files into a single managed module using the BoxedApp mechanisms.
Thanks to the analysis of BoxedApp binary structures, experts have proposed methods for unpacking original files and extracting the contents of virtual storage, including a dynamic approach with a process dump from memory.
The Yara signatures provided and the knowledge of BoxedApp's internal mechanisms will improve the detection of malware hidden using these products, which are rapidly gaining popularity among cybercriminals around the world.
