The BoomBox Malware is a middle-stage downloader threat used in a phishing attack impersonating the United States Agency for International Development (USAID). The threat actor managed to take over the Contact account of the agency and then used it to send over 3000 phishing emails to more than 150 targets. The targeted organizations included government agencies and entities involved with human rights and humanitarian work, as well as international development.
The attack is attributed to the APT29 group, the same hackers that carried out the supply-chain attack against SolarWinds. APT29 also is known under the names Nobelium, SolarStorm, DarkHalo, NC2452, and more. The hackers are believed to have connections to Russia.
BoomBox is one of the four never-before-seen malware tools that ATP29 used in the USAID operation. Their other threatening tools are the HTML attachment EnvyScout, the NativeZone loader, and the VaporRage shellcode.
BoomBox is one of the middle-stage payloads in the operation. It is delivered to the infected system as a hidden BOOM.exe file inside an ISO image dropped by the EnvyScout malware. The main functionality of BoomBox is to fetch two encrypted malware files to the compromised machine from DropBox. The threat will then decrypt and save the two files on the local system as '%AppData%MicrosoftNativeCacheNativeCacheSvc.dll' and '%AppData%SystemCertificatesCertPKIProvider.dll.' The next step for BoomBox is to execute the files via rundll32.exe. The delivered files carry the payloads for the NativeZone and VaporRage threats.
As its final activity, BoomBox will execute an LDAP query in an attempt to collect details such as SAM account name, email, distinguished name and display name of all domain users. The harvested data will be encrypted and uploaded to a remote server.