Security researchers are warning of the increasing abuse of BoxedApp products to deploy multiple malware payloads.
BoxedApp products are application virtualization tools to convert regular applications to packed ones. They allow to create to create a virtual environment, embedding DLLs, ActiveXs, .Net Runtime and creating portable applications.
The CheckPoint threat research team said that over the past few months they observed a spike in the abuse of the popular packers such as BoxedApp Packer, BxILMerge, and the BoxedApp SDK. The investigation revealed that the main abused BoxedApp products were BoxedApp Packer and BxILMerge built on top of the BoxedApp SDK.
“While both products provide threat actors with access to the most exciting features of the SDK, with the BoxedApp SDK itself they can create a custom, unique packer that leverages the most advanced features and is diverse enough to avoid static detection,” Check Point said.
“The abuse of BoxedApp to deploy malicious payloads and stay under the radar could result in discrepancies caused by its high-rate of FP detection even in non-malicious applications. The built-in Windows Defender and other top-notch AVs are usually not affected, but even a simple “Hello World” application packed by BoxedApp is initially detected by several AV engines,” the research team added.
The researchers said that out of 1200 samples packed by BoxedApp submitted to VirusTotal over the past three years, a quarter were flagged as malicious.
The list of the most deployed, attributed malware families includes remote access trojans (RATs), stealers, and ransomware, such as QuasarRAT, NanoCore, NjRAT, Neshta, AsyncRAT, XWorm, LodaRAT, RevengeRAT, AgentTesla, LockBit, RedLine, Remcos, ZXShell, and Ramnit.
Half of the malicious samples submitted to VirusTotal were from Turkey, the United States, and Germany, Check Point noted. Most of the attributed malicious samples were used in attacks on financial and government sectors.
“Using BoxedApp products to pack the malicious payloads enabled the attackers to lower the detection rate, harden their analysis, and use the advanced capabilities of BoxedApp SDK (e.g., Virtual Storage) that would normally take a long time to develop from scratch,” the researchers said.