article featured image


Nobelium is a Russian-backed advanced persistent threat (APT) organization that achieved attention towards the end of 2020 after breaching SolarWinds’ software development supply chain to obtain access to espionage targets, and it continues to deploy creative approaches in its search for new victims.

What Happened?

The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom “Ceeloader” malware.

Researchers from Mandiant managed to uncover tactics, techniques, and procedures (TTP) used by the hacking group, as well as a new custom downloader called “Ceeloader.”

In at least one instance, the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP’s environment, which ultimately led to the compromise of internal domain accounts.

The threat actors leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands within victim environments.

The threat actor used the protocols mainly to perform reconnaissance, distribute beacons (Cobalt Strike) around the network, as well as run native Windows commands for credential harvesting.


The New “Ceeloader”

CeeLoader, which is written in C and enables shellcode payloads that are performed in memory, was detected being deployed as a Scheduled Task by the Cobalt Strike Beacon malware, which once downloaded operated as SYSTEM on victims’ individual PCs. The loader, which was discovered in the third quarter of 2021, is a version of the VaporRage malware family, which Microsoft is tracking.

While the two have certain functional similarities, such as the ability to extract second-stage encrypted payloads, CeeLoader incorporates a number of modifications that make analysis more difficult, according to Jenkins. The code of the loader is obscured by enormous amounts of trash code and pointless calls to the Windows API.

CeeLoader encrypts payloads with AES-256, whereas VaporRage utilizes a simple XOR technique, as both payloads run shellcode that is loaded directly into memory, and the malware has been known to load Beacon in both situations. Both examples appear to be launched by rundll32, a Windows program used to load DLLs from disk. Furthermore, in both examples, a particular export is normally called to run the sample; this is usually a tactic used by the threat actor to avoid detection by automated sandboxes.

The tactics used to get initial access differed amongst attackers. The threat actor hacked a local VPN account in one assault to perform reconnaissance and acquire access to the cloud service provider’s (CSP) environment. In another effort, threat actors used a stolen session token to obtain access to the companies’ Microsoft 365 account.

Mandiant analyzed the workstations belonging to the end user and discovered that some systems had been infected with Cryptbot, an info-stealer malware, shortly before the stolen session token was generated,” said researchers. “Mandiant observed that in some cases the user downloaded the malware after browsing to low reputation websites offering free, or cracked, software.


It’s worth noting that Nobelium leverages residential IP addresses (proxies), TOR, VPS (Virtual Private Services), and VPN (Virtual Private Networks) to access the victims’ environment in order to prevent tries to trace the assaults.

The attackers used genuine Microsoft Azure-hosted servers with IP addresses close to the victims’ network.

This method blends external and internal traffic, making detection of fraudulent activity improbable and analysis more difficult.

How Can Heimdal™ Help You?

Heimdal™ is always updated and keeps pace with the latest cybersecurity trends, a quality that perfectly illustrates its products too. Our awarded Threat Prevention Endpoint solution uses Machine Learning, cybercrime intelligence, and artificial intelligence capabilities to help you prevent future threats with 96 % accuracy on your endpoints, a very efficient threat hunting solution that makes malicious URLs, processes, and attacker’s origins no longer anonymous.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *