Dboxshell

Malware updated 5 months ago (2024-05-05T05:18:14.104Z)

Download STIX

Preview STIX

DboxShell is a type of malware that uses cloud storage services as a command and control (C&C) mechanism. It is also known as PowerMagic by Kaspersky. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal information, or even hold data for ransom. The malware was deployed in multiple operations, with variants used in OP#1 and OP#4. Upon execution of DBoxShell or its variant GraphShell, which was utilized in OP#5, the reconnaissance phase begins. This stage serves as an entry point for the attackers, allowing them to evaluate the potential interest of their targets. They use different tools during this phase to assess the value of the compromised system. In one instance, the attack involved a phishing email with a malicious attachment that downloaded a variant of DBoxShell malware onto the victim’s device. In a specific scenario, a .vbs file was found to be responsible for XORing and executing a .dat file, which contained a small loader and a variant of DBoxShell. After applying a conversion to the file, it was identified as DBoxShell. The cybersecurity firm Malwarebytes has studied this malware extensively, noting its unique utilization of cloud storage services for its C&C mechanism.

Description last updated: 2024-05-05T04:52:06.011Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Powermagic is a possible alias for Dboxshell. PowerMagic is a sophisticated malware, also known as DBoxShell, that has been linked to a series of advanced persistent threat (APT) activities. This malicious software was identified by Kaspersky researchers who traced its connections to previous APT activities such as Operation Groundbait, the Pri	2
Graphshell is a possible alias for Dboxshell. GraphShell is a malicious software (malware) that has been used in cyber-attacks to exploit and damage computer systems. It was first reported in March 2023 by the cybersecurity firm Bad Magic, which documented its use in attacks targeting Russian-occupied territories of Ukraine. The malware, also k	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Malwarebytes

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Dboxshell Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	a year ago	Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020
CERT-EU	a year ago	Mysterious Red Stinger APT spying on pro-Ukraine and pro-Russia targets in Ukraine
BankInfoSecurity	a year ago	Enigmatic Hacking Group Operating in Ukraine
CERT-EU	a year ago	Enigmatic Hacking Group Operating in Ukraine \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	a year ago	A Decade of ‘Bad Magic’ In Cyber Espionage
CERT-EU	a year ago	Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU	a year ago	New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe
CERT-EU	a year ago	Newly identified APT group's motives in Ukraine baffle researchers