Cybercrooks get cozy with BoxedApp to dodge detection

Malware miscreants are increasingly showing a penchant for abusing legitimate, commercial packer apps to evade detection.

Jiří Vinopal, threat researcher at Check Point Research, says the trend has become especially popular over the past 12 months, and BoxedApp is one of the products that appear to be among the most favored.

Some of the most prevalent malware strains in the world are abusing BoxedApp to evade static analysis, the researcher claims. The vast majority are remote access trojans (RATs), such as Agent Tesla, AsyncRAT, and QuasarRat, although other cases have involved ransomware strains such as LockBit variants and infostealers such as Redline.

BoxedApp has been around for several years but the abuse of its SDK shot up from March 2023. It offers a range of benefits for attackers, a variety that Check Point Research believes outweigh the negatives.

Among the more notable features BoxedApp offers, ones that would interest bad actors especially are:

• Virtual Storage

• Virtual Processes

• Virtual Registry

Application security expert Sean Wright told us: "The virtual processes may make it harder for anti-malware and other endpoint protection systems to detect the malware running via the BoxedApp SDK. Many of these products rely on the fact these processes run directly on the system as opposed to a virtualized process, which could then be hidden from the protection tooling.

"An easier way to perhaps think of this is a process running in a virtual machine, although it would likely be a bit more nuanced than this. So, from an attacker perspective, this helps prevent detection which would be one of their primary goals. The longer they go undetected the more data they could potentially gain access to."

BoxedApp programs do tend to generate a high false positive rate when scanned by antivirus solutions, according to Check Point Research. Even non-malicious apps packed using BoxedApp, such as a simple "Hello World" program, are flagged up by many antivirus engines, the report adds. 

An analysis of 1,200 genuinely malicious samples submitted to VirusTotal – the Google-owned malware platform that shows which vendors' solutions push alerts for different payloads – found that 25 percent were flagged up when packed using BoxedApp.

• Snowflake denies miscreants melted its security to steal data from top customers
• Cyber cops plead for info on elusive Emotet mastermind
• New Nork-ish cyberespionage outfit uncovered after three years
• FlyingYeti phishing crew grounded after abominable Ukraine attacks

However, this can either be seen as a negative or a positive, depending on your outlook. While BoxedApp-packaged malware has a decent enough chance of triggering warnings in an organization's SOC, it can also play into attackers' hands as security teams may disable alerts relating to applications running the BoxedApp SDK.

"My advice to organizations is to limit the use of BoxedApp apps if possible," Wright said. "If you need to use these types of applications, look to leveraging controls such as signing of these applications, which as [Check Point Research's] writeup indicates can also help reduce the false positive rates."

When looking deeper into the VirusTotal submissions, Vinopal found that the majority came from Turkey, the US, and Germany, although small percentages were reported from countries across the world.

"Most of the attributed malicious samples were used in attacks against financial institutions and government industries," the researcher blogged. "Using BoxedApp products to pack the malicious payloads enabled the attackers to lower the detection rate, harden their analysis, and use the advanced capabilities of BoxedApp SDK, e.g. Virtual Storage, that would normally take a long time to develop from scratch."

The Register approached BoxedApp for comment but it didn't immediately respond.

For those looking for ways to better detect abuses of BoxedApp, Check Point Research provides a set of Yara signatures in its report to help detect the packer while pulling out all the details and binary hashes of the packed app. ®