{"id":6374,"date":"2021-06-02T16:04:45","date_gmt":"2021-06-02T23:04:45","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6374"},"modified":"2024-04-26T13:20:39","modified_gmt":"2024-04-26T20:20:39","slug":"nobelium-campaigns-and-malware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/nobelium-campaigns-and-malware\/","title":{"rendered":"Cyber Threat Advisory: NOBELIUM Campaigns and Malware"},"content":{"rendered":"

Author: James Barnett<\/h3>\n

TLP: WHITE<\/h3>\n

 <\/p>\n

1. Executive Summary<\/h1>\n

Between 27 and 28 May, Microsoft published two reports on NOBELIUM, the threat actor behind the December 2020 supply chain attacks1<\/sup> on SolarWinds\u2019 Orion platform. The first report detailed an ongoing spearphishing campaign that leveraged a variety of techniques to distribute a Cobalt Strike Beacon payload that allows NOBELIUM to remotely control the targeted system through an encrypted network tunnel.2<\/sup> The second report detailed four tools that were part of NOBELIUM\u2019s unique infection chain in that campaign: EnvyScout, BoomBox, NativeZone, and VaporRage.3<\/sup><\/p>\n

2. Analysis<\/h1>\n

2.1. Spearphishing Campaigns<\/h3>\n

Microsoft reports that NOBELIUM has been conducting a new malicious email campaign since February 2021. It differs significantly from their previous operations that ran from September 2019 to January 2021 and that led to the breach of the SolarWinds Orion platform. In this new campaign, NOBELIUM distributed multiple waves of spearphishing emails, each revealing an evolution of their malware delivery techniques.<\/p>\n

The first wave of the campaign, discovered in February, leveraged the legitimate Google Firebase platform to stage an ISO file containing a malicious payload, as well as to record attributes of visitors who accessed the URLs included in the phishing emails. This wave included a brief reconnaissance period starting on 28 January, during which NOBELIUM sent the Firebase tracking URL to targets and recorded when they clicked on the URL. They did not deliver the malicious ISO payload at this stage.<\/p>\n

The next waves of the campaign began in March and used a malicious HTML file attached to a spearphishing email in an attempt to compromise targeted users. This HTML file used JavaScript to write an ISO file containing a malicious payload directly to the target\u2019s disk, including a message that encouraged the target to open the ISO. If the target did so, the ISO file would then be mounted in the same manner as an external drive. This allowed a shortcut file (LNK) within the ISO to execute an included dynamic-link library (DLL) that ultimately resulted in the delivery and execution of a Cobalt Strike Beacon payload. During these waves, NOBELIUM began to experiment with a distribution method that involved embedding the ISO file within the HTML attachment rather than the previous method of hosting the ISO on Firebase.<\/p>\n

The next waves of the campaign began in April and involved NOBELIUM completely abandoning Firebase for both its ISO distribution and victim tracking. They shifted to distributing the ISOs using the aforementioned HTML embedding method and began to use a new method of victim tracking. The campaign evolved again in May when NOBELIUM added a custom .NET module to perform reconnaissance and download additional payloads that they had stored on Dropbox.<\/p>\n

On 25 May, NOBELIUM\u2019s campaign began using the legitimate mass-mailing service Constant Contact to target roughly 3,000 unique accounts across more than 150 organizations. This new wave of spearphishing emails used several different types of lures, one of which imitated a special alert from the United States Agency for International Development (USAID), stating that Donald Trump had published new documents regarding election fraud, and included a link where these documents would purportedly be found. In reality, this link used Constant Contact\u2019s legitimate redirector service to send victims to a different URL that would deliver NOBELIUM\u2019s malicious ISO file.<\/p>\n

On 1 June, the U.S. Department of Justice announced that they had seized two of the domains involved in NOBELIUM’s spearphishing campaign (theyardservice[.]com and worldhomeoutlet[.]com) pursuant to a court order on 28 May.8<\/sup><\/p>\n

2.2. EnvyScout<\/h3>\n

EnvyScout is a malicious HTML file that deobfuscates and writes a malicious ISO file to disk. In this campaign, the threat actors delivered the file NV.html<\/em> as an attachment to the campaign\u2019s spearphishing emails. The body of this HTML file included tracking and credential harvesting URLs, an encoded ISO payload, an embedded JavaScript to decode the payload, and another embedded JavaScript to allow the HTML file to write the decoded ISO file to disk.<\/p>\n

2.3. BoomBox<\/h3>\n

BoomBox is a malicious downloader distributed as an executable named BOOM.exe<\/em> contained within the ISO dropped by EnvyScout. When executed, it checks to ensure that a directory named NV<\/em> is present in its working directory and terminates if it does not find this directory. BoomBox also performs another check to ensure that the system does not contain a file named %AppData%\\Microsoft\\NativeCache\\NativeCacheSvc.dll<\/em> and will terminate if it finds the file.<\/p>\n

After performing these checks, BoomBox proceeds to gather information about the infected system, including its hostname, domain name, IP address, and the victim\u2019s username. It encrypts this information using the Advanced Encryption Standard (AES) with a hardcoded encryption key 123do3y4r378o5t34onf7t3o573tfo73<\/em> and initialization vector (IV) value 1233t04p7jn3n4rg<\/em>. After encryption, BoomBox adds PDF file signatures to the beginning and end of the data so that the encrypted data appears to be a valid PDF file, and then uploads the file to Dropbox.<\/p>\n

Once BoomBox has uploaded information about the victim\u2019s system, it proceeds to download the NativeZone and VaporRage payloads from Dropbox. It then decrypts and executes these payloads to start the next stage of the attack chain.<\/p>\n

2.4. NativeZone<\/h3>\n

NativeZone is Microsoft\u2019s name for NOBELIUM\u2019s wide variety of custom Cobalt Strike Beacon loaders. These loaders were previously tracked under unique names including TEARDROP4<\/sup> and Raindrop, but Microsoft is now tracking them under the single name NativeZone due to their disposable nature and similar purpose within NOBELIUM\u2019s attack chain. All variants of NativeZone are malicious DLLs that decrypt and load a malicious payload from an embedded code buffer or from another accompanying file.<\/p>\n

2.5. VaporRage<\/h3>\n

VaporRage is a malicious DLL file that acts as a shellcode downloader. It contains functions that are called by NativeZone in order to download, decode, and execute arbitrary shellcode from the attacker\u2019s command and control (C&C) servers. The most common shellcode payload that VaporRage currently delivers is Cobalt Strike Beacon, as observed in NOBELIUM\u2019s previous campaigns.<\/p>\n

2.6. Cobalt Strike<\/h3>\n

Cobalt Strike is a legitimate penetration testing tool that has become increasingly popular amongst threat actors due to its many powerful features. Its capabilities include keylogging, taking screenshots, deploying additional payloads, exploiting system vulnerabilities to facilitate additional attacks, evading detection with various countermeasures, rapidly exfiltrating data through encrypted tunnels, and more.5<\/sup><\/p>\n

3. Prevention and Mitigation<\/h1>\n

The Cybersecurity and Infrastructure Security Agency (CISA) provides the following list of best practices to strengthen the security of an organization.6<\/sup> In addition, CISA references the publication from the National Institute of Standards and Technology (NIST), \u201cGuide to Malware Incident Prevention & Handling for Desktops and Laptops\u201d for more information on malware incident prevention and handling.7<\/sup><\/p>\n