Over the past few months, we have been monitoring the increasing abuse of BoxedApp products in the wild. BoxedApp products are commercial packers that provide advanced features such as Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking).
Even though BoxedApp has been commercially available for a while, in the past year we detected a significant increase in its abuse to deploy numerous known malware families, primarily related to RATs and stealers. The majority of the attributed malicious samples targeted financial institutions and government industries.
Read more…
Source: Check Point
Related:
- Graphican: Flea uses new backdoor in attacks targeting Foreign Ministries
June 21, 2023
The Flea (aka APT15, Nickel) advanced persistent threat (APT) group continued to focus on foreign ministries in a recent attack campaign that ran from late 2022 into early 2023 in which it leveraged a new backdoor called Backdoor.Graphican. This campaign was primarily focused on foreign affairs ministries in the Americas, although the group also targeted a ...
- Dissecting TriangleDB, a Triangulation spyware implant
June 21, 2023
Over the years, there have been multiple cases when iOS devices were infected with targeted spyware such as Pegasus, Predator, Reign and others. Often, the process of infecting a device involves launching a chain of different exploits. Due to this granularity, discovering one exploit in the chain often does not result in retrieving the rest ...
- In search of the Triangulation: triangle_check utility
June 2, 2023
In their initial blogpost about “Operation Triangulation”, Kaspersky published a comprehensive guide on how to manually check iOS device backups for possible indicators of compromise using MVT. This process takes time and requires manual search for several types of indicators. To automate this process, Kaspersky researchers developed a dedicated utility to scan the backups and run ...
- Operation Triangulation: iOS devices targeted with previously unknown malware
June 1, 2023
While monitoring its own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), Kaspersky researchers noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, researchers created offline backups of the devices in question, inspected them using the ...
- Don’t @ Me: URL Obfuscation Through Schema Abuse
May 22, 2023
A technique is being used in the distribution of multiple families of malware that obfuscates the end destination of a URL by abusing the URL schema. Mandiant tracks this adversary methodology as “URL Schema Obfuscation”. The technique could increase the likelihood of a successful phishing attack, and could cause domain extraction errors in logging or security ...
- Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
May 15, 2023
The Lancefly advanced persistent threat (APT) group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, in activity that has been ongoing for several years. Lancefly may have some links to previously known groups, but these are low confidence, which led researchers at Symantec, by Broadcom Software, to classify this activity ...

