A new wave of NOBELIUM attacks has been reported by Microsoft. NOBELIUM is the same threat actor Microsoft attributed the SolarWinds attack to, a Russian based group attacking mostly US-based government and corporate networks. According to the report, the latest attacks came in the form of phishing emails disguised as official mail from the USAID government agency.
The hack begins when a user clicks on an LNK file attached to the phishing email. Upon execution it spawns a process, using either the default windows binary rundll32.exe or cmd.exe to load the actual malware into memory. After this chain of events, the malware drops and executes a malicious loader, dubbed NativeZone by Microsoft, that is responsible for executing shellcode it receives either from an embedded buffer or a remote server via HTTP. The content of the shellcode is reported to be a Cobalt Strike beacon.
Before executing the shellcode, this pernicious backdoor queried for the existence of various VBox and VMware artifacts on the machine. This is a common method used by malware to thwart analysis attempts. It is not the first time NOBELIUM used these types of evasion techniques. The SolarWind backdoor has reportedly queried periodically for analysis tools by process name and would not connect back to its C&C server upon finding such a process. The artifacts queried by NativeZone are shown in Figure 1, taken from Microsoft’s blog.
Stopping malware based on evasive behavior is exactly what Minerva does. By simulating a hostile environment we use the malware code against itself, causing it to self-destruct. That is exactly what happened to the NativeZone backdoor when executed against our product:
For a full demo of Minerva Lab’s anti-ransomware platform, contact us using the form below.