This report is about a new malware campaign by a foreign adversarial nation-state threat actor recently being referred to as NOBELIUM. The threat actor has gained prominence for its involvement in the SolarWinds supply chain attack. This new campaign focuses on phishing using a sophisticated toolset.
NOBELIUM seems to be utilizing very specific methods of avoiding detection such as the abuse of Dropbox to download malicious payloads onto systems. The heavy use of the Dropbox API over HTTPS can be tricky for network defenders to pinpoint as malicious behavior. The bad actor also uses tooling specifically designed to perform enumeration via network discovery and has the ability to stop execution on undesirable targets. The tooling itself is engineered to reduce the possibility of successful detection by running the third stage payload VaporRage fully in memory. VaporRage is a shellcode loader designed to run malicious packages entirely in memory.
Now that some of the unique features of this campaign have been established, we can dive a little deeper into the noteworthy tools. EnvyScout is a toolset designed to be a malicious dropper used for obfuscation and delivery of a malicious ISO file to the affected device. All the different variants of the EnvyScout tool start with an HTML (HyperText Markup Language) file called NV.html. One of the variants of the EnvyScout toolset is used to collect credentials via NTLMv2 (NT LAN Manager Version 2) over port 445. This variant performs collection by tricking the operating system within the code with a file:// protocol handler. The threat actor likely has a credential capturing service running on the destination server. The HTML file’s primary goal is to utilize the legitimate tool FileSaver with some malicious modifications to generate an obfuscated ISO file.
The generated ISO file called NV.img acts as a lure that, when clicked on by a user mounts like a normal drive. The drive displays a shortcut named NV that when clicked on starts the next stage payload. If you modify the Windows Explorer settings to view hidden files, you will find a hidden folder and the next stage executable called BOOM.exe. Clicking on the next stage executable will also trigger the infection chain.
BOOM.exe functions as a malicious downloader built to pull down the next payload from Dropbox. The downloader will collect information about the affected system such as the hostname, IP address, domain name, and the current logged-in username. Any data transfers are encrypted with AES and are sent to Dropbox via API arguments. The next stage payload will be downloaded onto the host once the collected enumeration results have been compiled and sent to Dropbox. The next stage payload is written to %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll then persistence is set up via the creation of a new registry key. NativeCacheSvc.dll referred to by the security community as NativeZone is a malicious loader that interacts with Run32dll to load the malicious downloader known as VaporRage.
It is highly encouraged that you implement preemptive blocks using the IOC list linked below. Consider blocking internal hosts from reaching out to external systems over port 445. You may want to block the use of Dropbox via EDR tools and implementing blocks on the external-facing firewall. Implement a user training program through your security partner to teach users how to successfully spot a phishing attempt.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.