OVERVIEW
BoomBox is a malicious downloader used by the actor known as Dark Halo (aka NOBELLIUM, UNC2452).
DELIVERY
The malware (named after the original file BOOM.exe) is dropped as a part of a malicious ISO using the so-called EnvyScout dropper.
BOOMBOX INSTALLATION
Initial execution of the main executable causes the program to validate that a directory called “NV” is located in the working directory. If no directory is present the process terminates. If the folder is identified, then BoomBox displays the NV directory in a new window which, as of writing, contains a PDF that the user must then execute.
Additionally, the malware looks for the presence of the file %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll. If the file is present, it will again terminate.
If all checks are successful, it then begins system enumeration and collects hostname, domain, IP, and username.
If the system which BoomBox is executed on is joined to a domain, it also gathers additional details through LDAP including distinguished name, SAM account name, email and display names of all domain users by using the filter (&(objectClass=user)(objectCategory=person)).
This information is then encrypted using AES with a hardcoded encryption key “123do3y4r378o5t34onf7t3o573tfo73” and Initialization Vector (IV) value of “1233t04p7jn3n4rg”. BoomBox then prepends the so-called magic number “%PDF-1.3 %” to the beginning of the file to allow it to masquerade as a PDF.
BoomBox then uploads the PDF to a target-specific directory on DropBox with the folder name being the MD5 value of the victim’s system name. Once uploaded, BoomBox also downloads an encrypted payload from Dropbox. To decode the file, BoomBox first strips the first 10 bytes of the header and 7 bytes of the footer and then uses the hardcoded key and IV used to encrypt the file containing host enumeration results. The decrypted file is saved to %AppData%\Microsoft\NativeCache\ with a name of NativeCacheSvc.dll.
BoomBox then downloads a second file from /tmp/readme.pdf, again discarding the first 10 bytes of the header, and 7 bytes from the footer. This file is also encrypted, and it decrypts it using the same key and IV as before. This file is written to %AppData%\SystemCertificates\ with a filename of CertPKIProvider.dll and is used to execute NativeCacheSvc.dll using rundll32.exe.
BOOMBOX PERSISTENCE
The malware establishes persistence for the NativeCacheSvc.dll file by creating a Registry Run value MicroNativeCacheSvc in:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicroNativeCacheSvc
With the value:
rundll32.exe %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll _configNativeCache
BOOMBOX COMMUNICATION
The malware uploads data to dropbox using a hardcoded Dropbox Bearer Token, through standard HTTPS POST requests.
