xCaon

xCaon is a malicious software, or malware, that has been used in cyber-espionage operations for several years, particularly by the Chinese-speaking APT actor "IndigoZebra." The earliest identified samples date back to 2014. This malware family has targeted governmental agencies in Central Asia and former Soviet Republics using different strains, including Meterpreter, Poison Ivy, xDown, and a previously unknown strain called 'xCaon.' Check Point has identified about 30 different samples of xCaon, all of which rely on the HTTP protocol for command-and-control communications. The xCaon family includes an updated variant known as BoxCaon, which exhibits code and functionality similarities to its predecessor. Unlike other xCaon versions that use HTTP protocol with Base64+XOR encryption for communication with their command-and-control (C&C) servers, BoxCaon uniquely communicates over the Dropbox API in clear text commands. This allows it to use the legitimate cloud-storage service Dropbox as its C&C server, making detection and mitigation more difficult for cybersecurity defenses. Despite its widespread use, technical analysis of the xCaon malware family was not publicly available until recently. In-depth analysis has revealed different variants of xCaon, including packed ones, and the PoisonIvy malware, which was also reported as part of the actor's arsenal. Furthermore, the BoxCaon backdoor variant was discovered, which has updated C&C communication capabilities, utilizing Dropbox as the C&C infrastructure. This highlights the evolving nature of the xCaon malware family and underscores the need for continuous vigilance and adaptive security measures.