BoxOfFriends
BoxOfFriends is a Go-based backdoor associated with the China-aligned threat group GopherWhisper. It was documented by ESET during investigations into intrusions affecting a Mongolian governmental institution, with telemetry indicating about 12 impacted systems at that entity and evidence suggesting additional victims. BoxOfFriends uses Microsoft 365 Outlook via the Microsoft Graph API for bidirectional command-and-control, creating and modifying draft email messages to exchange commands and results. Reporting also states it creates a new Outlook draft to notify operators that it is ready. The malware supports arbitrary shell command execution, file upload and download, directory changes, sleep and interval control, port forwarding, and self-deletion. It is delivered by the FriendDelivery loader/injector, which decrypts BoxOfFriends from an overlay in wer.dll using a null-preserving XOR operation with key 0x56 and injects it into help.exe; FriendDelivery also installs persistence via the bdreinitsvc Windows service under %APPDATA%\BitDifender. ESET extracted 43 draft messages, one deleted message, and five inbox messages from the Outlook account used by BoxOfFriends. The Outlook account barrantaya.1010@outlook[.]com, used for this C2, was created on 2024-07-11. One listed sample is detected as WinGo/Agent.AJI with SHA-1 926974FACFD0383C65458D6EF1F31FBB7C769E18.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We named the newly discovered backdoor BoxOfFriends, from the name of the Go package in the backdoor that contains all the malicious code. Unlike the previously discovered backdoors, this new one makes use of the Microsoft 365 Outlook mail REST API from Microsoft Graph to create and modify draft email messages for its C&C communications.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesGopherWhisper uses Slack, Discord, and Microsoft Graph services for its C&C infrastructure.
RatGopher and early versions of its source code were identified from chat log analysis. BoxOfFriends is a custom backdoor.
Privilege Escalation
2 techniquesJabGopher: an injector that executes the LaxGopher backdoor disguised as whisper.dll. It creates a new instance of svchost.exe and injects LaxGopher into the svchost.exe process memory.
Stealth
3 techniquesJabGopher: an injector that executes the LaxGopher backdoor disguised as whisper.dll. It creates a new instance of svchost.exe and injects LaxGopher into the svchost.exe process memory.
BoxOfFriends is a Go binary that is injected into the legitimate Windows executable help.exe.
CompactGopher runs its own cleanup process by deleting both the cleartext and encrypted archives... BoxOfFriends selfdelete... the file used in the injection process will be deleted.
Discovery
1 techniqueLaxGopher, RatGopher, and SSLORDoor can collect the hostname, OS version, and OS architecture of a compromised host.
Lateral Movement
1 techniqueportforward Creates, deletes, or lists forwarding ports to expose an application or service to the network.
Collection
3 techniquesLaxGopher, RatGopher, SSLORDoor, and CompactGopher can collect local data from a compromised machine.
Jared962@outlook.com was used to break down large files into manageable chunks for exfiltration.
Another backdoor - this one dubbed BoxOfFriends, despite it also being written in Go - created a new draft email in Microsoft Outlook as a way of notifying operators that it was ready. Different emails in the address field signified different commands.
Command and Control
8 techniquesAttackers continue to lean on everyday collaboration platforms to hide command and control traffic inside normal enterprise noise... running its operations through Slack workspaces, Discord servers, Outlook drafts, and the file.io sharing service.
LaxGopher, RatGopher, and BoxOfFriends use HTTPS for C&C communication.
GopherWhisper leverages Discord, Slack, Microsoft 365 Outlook, and file.io for C&C communications and exfiltration.
LaxGopher, RatGopher, and BoxOfFriends use Slack, Discord, and Microsoft Graph, respectively, for C&C infrastructure.
JabGopher and FriendDelivery load the backdoors into memory... The FriendDelivery DLL that loads BoxOfFriends was compiled 11 days later, on July 22, 2024.
LaxGopher and RatGopher use base64 to encode messages sent to their C&Cs.
SSLORDoor leverages custom data encoding to communicate with the C&C. BoxOfFriends uses base58 and base64 encoding.
LaxGopher and RatGopher use AES algorithms for encryption. BoxOfFriends uses XOR encryption.
Exfiltration
2 techniquesLaxGopher, RatGopher, SSLORDoor, and BoxOfFriends exfiltrate data to their C&Cs.
LaxGopher leverages Slack to exfiltrate data. RatGopher leverages Discord and file.io to exfiltrate data. CompactGopher uses the file.io web service to exfiltrate data.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor that uses Microsoft 365 Outlook APIs and draft emails via Microsoft Graph API for covert command-and-control communication.
A backdoor that manages communications via email drafts in Microsoft Outlook.
A Go-based backdoor that uses Microsoft Graph API and Outlook draft emails for command-and-control with hard-coded credentials.
A Go-based backdoor that used Microsoft Outlook draft emails for command and control/notification. Different email addresses in the draft address field represented different operator commands, including heartbeat timing and chunked file exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.