Mandal researchers have identified two different groups of activity, which tracked the UNC3004 and unc2652, which were connected to the Nobelium APT Group (aka UNC2452) connected to Russia. | custom malware
Nobelium APT (APT 29, Koji Bear, and Dux) is a danger actor who organized a supply chain attack against Solarwinds, in which many families of transplantation including Sunburst Backdar, Tierdrop Malware, Goldmax Malware, Sibots and Goldfinders were included.
Nobelium focuses on government organizations, NGOs (NGOs (NGOs (NGOs), thinking tank, military, IT service providers, health technology and research, and telecommunications providers.
Nobelium is using a new custom downloader tracked by Cyberspi researchers.
Mandiant researchers saw many supply chain attacks made by APT. Threatened actors compromised with service providers and used privileged access and certificates related to hacked providers to target their customers.
“Mandent has identified many instances where the danger actor compromised service providers and used the privilege access and certificates related to these providers to compromise from downstream customers.” Reads the report published by the board. “In at least one instance, the danger actor identified a local VPN account and compromised and used this VPN account to Renaissance and reached the internal resources within the affected CSP environment, which ultimately internal internal Lead the compromise of the domain accounts. ”
Researchers also cited another violation where actors of danger reached Microsoft 365 environment of the target organization using the stolen session token. State sponsored hackers used the use of Cryptbot Password-Steer to be used to certify Microsoft 365 environment which was used to certify the Microsoft 365 environment.
Nobelium cyberspi took advantage of the compromised privileged accounts and used SMB, Remote WMI, Remote Scheduled Task Registration, and Powerhell to execute the order within the targeted environment. Experts said that the attackers used the protocol to Renaissance, distributed cobalt strike beacon in the agreement network, and run the native Windows command to steal certificates.
Ceelaoder is a custom downloader that has been written in C and supports the execution of Shelkod payload in memory.
“The Windows API has been using an obfuscation tool to hide the code in the caloder between the big block of junk code with meaningless calls. The meaningful call to Windows API is hidden within the unpleasant wrapper functions that decrypt the name of API Before calling and call it dynamically. “The report is continuing.
Ceeloader communicates through HTTP, while C2 reaction is decrypted using AES-256 in CBC mode. The researchers saw that the loader does not apply a firmness mechanism.
In some campaigns analyzed by the Board, the danger actor is using the residential IP address so that the targeted environment can be certified. Residential and mobile IP addresses were reached through proxy providers.
In other campaigns, the attacker provided a system within Microsoft Azur, which was close to a valid Azoor-Hosted system related to CSP, which he had compromised. Using this technique, actor was able to mask the source of attack with victims and establishing land proximity to generate valid Azur within IP categories.
“In this case, a third party abuse, a CSP, can facilitate access to the broader scope of potential victims through a compromise. Although I can not present this activity attribute with high confidence, this infiltration And the operational security related to the exploitation of a third party is in line with the strategy employed by the actors behind the Sauravinds Compromise and highlights the effectiveness of taking advantage of the third party and reliable vendor relationships. “The report ends.