EnvyScout (derived from the filename NV.html, aka Envy Scout, NV.html, NV, EnvyScout) is a dropper-style malware that writes a malicious ISO to disk. The malware is known to be used by the adversary known as Dark Halo (aka Nobellium, UNC2452) and came to attention during a major phishing campaign carried out in early 2021.
The dropper is delivered as a malicious attachment in a phishing email.
The EnvyScout dropper is a self-contained HTML file.
All observed versions of EnvyScout contain a modified version of the open source FileSaver javascript tool. This tool allows the JavaScript to write files directly to disk, allowing the adversary to conduct HTML smuggling.
Further, all versions of EnvyScout contain an encoded blob that contains the payload. The payload is Base64, and is XOR'd with a single byte key. The payload is written to disk using the modified FileSaver code.
Finally, all versions of EnvyScout contain a small piece of code used to decode the ISO in the XOR'd blob containing the Base64 code. This will write a file NV.img to disk, which the user much then execute.
When a user executes the file, Windows 10 will mount the file as with any disk image. The interior contents of the image include a visible shortcut file bearing the name "NV.lnk." There are also two hidden files, including a folder also named "NV" and an executable called "BOOM.exe." "NV.lnk" links to "BOOM.exe."
Some variants of EnvyScout contained execution guardrails that checked the window.location.pathname to verify that the first two entries in the array were "C" and ":" to ensure the file was running on disk. If any other values were found, the ISO is not written to disk.
Other variants also conducted additional reconnaissance by inspecting the user agent string to determine if the user was executing the file in a Windows environment. If the user was determined to be in an iOS environment they were redirected to external infrastructure.
EnvyScout does not exhibit any persistence mechanisms. Instead, persistence is achieved with the dropped payload.
In some versions of EnvyScout, the file contains two URLs.
When the HTML file is opened, an attempt is made to establish a connection to the malicious command and control (C2) server by using the first URL prefixed with the "file://" protocol on port 445. This is an attempt by the actor to gather sensitive NTLMv2 data which can then be leveraged for brute forcing.
The second URL fetches an image, which acts similarly to a tracking pixel.
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
Threat actors are increasingly using methods to circumvent multifactor authentication, which poses a risk of account takeover. Here’s a briefing on some types of attacks and defenses to put in place.
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.