In May 2021, Microsoft and Volexity reported sophisticated phishing campaigns affecting government organizations. Microsoft attributed the attack to Nobelium (UNC2452). Nobelium utilized several new malwares and tools to carry out their attack. In the first stages of setting up a foothold on a target system, Nobelium utilized EnvyScout and BoomBox. EnvyScout is a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. The intent of the ISO file is to coax a target user into mounting it and clicking on the contained LNK file. BoomBox is a downloader which collects system information, sends it to a DropBox account for parsing and ingestion by Nobelium, and downloads additional tools, such as NativeZone.
This technique was observed being utilized by Nobelium in May 2021. The attack chain observed was a lure to get a user to open an "IMG" or "ISO" file containing a LNK file. The LNK was disguised as a folder and would execute a hidden binary (BoomBox) within the IMG file. From this point rundll32.exe would be utilized several times to execute various DLL files, and execute specific code blocks within one or more additionally downloaded DLL files. The targeted technique was utilized to upload system information to DropBox for the adversary's analysis and parsing, as well as download a loader called NativeZone. This is typically a CobaltStrike BEACON and Loader. Analysts can review activity before the trigger of this rule, looking for several rundll32.exe commands, IMG or ISO file being loaded, saved or opened by explorer.exe. Aside from the reported Nobelium activity, analysts can look for general rundll32.exe proxy execution. LNK files are commonly utilized in phishing and can often mimic similar activity to the intended activity in this package. However, instead of looking for a mounted ISO file, analysts can look for additional rundll32.exe executions and LNK files opened from Outlook's temporary directories.
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.