Suspicious rundll32 Execution | Intel 471 Skip to content

Suspicious rundll32 Execution

May 31, 2021
Homepage Hero

THREAT DESCRIPTION

In May 2021, Microsoft and Volexity reported sophisticated phishing campaigns affecting government organizations. Microsoft attributed the attack to Nobelium (UNC2452). Nobelium utilized several new malwares and tools to carry out their attack. In the first stages of setting up a foothold on a target system, Nobelium utilized EnvyScout and BoomBox. EnvyScout is a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. The intent of the ISO file is to coax a target user into mounting it and clicking on the contained LNK file. BoomBox is a downloader which collects system information, sends it to a DropBox account for parsing and ingestion by Nobelium, and downloads additional tools, such as NativeZone.

ANALYST NOTES

This technique was observed being utilized by Nobelium in May 2021. The attack chain observed was a lure to get a user to open an "IMG" or "ISO" file containing a LNK file. The LNK was disguised as a folder and would execute a hidden binary (BoomBox) within the IMG file. From this point rundll32.exe would be utilized several times to execute various DLL files, and execute specific code blocks within one or more additionally downloaded DLL files. The targeted technique was utilized to upload system information to DropBox for the adversary's analysis and parsing, as well as download a loader called NativeZone. This is typically a CobaltStrike BEACON and Loader. Analysts can review activity before the trigger of this rule, looking for several rundll32.exe commands, IMG or ISO file being loaded, saved or opened by explorer.exe. Aside from the reported Nobelium activity, analysts can look for general rundll32.exe proxy execution. LNK files are commonly utilized in phishing and can often mimic similar activity to the intended activity in this package. However, instead of looking for a mounted ISO file, analysts can look for additional rundll32.exe executions and LNK files opened from Outlook's temporary directories.