Heimdal
article featured image

Contents:

The Microsoft Threat Intelligence Center (MSTIC) disclosed the fact that the hacking group APT29, also known as Nobelium, compromised the Contact account for USAID, by using four new malware families.

By using a legitimate marketing account, the threat actors managed to impersonate USAID in phishing emails that were sent to more than 3,000 email accounts at more than 150 different organizations that included government agencies and organizations devoted to international development, humanitarian, and human rights work.

Microsoft is providing details regarding four new malware families used by Nobelium in these attacks, with the four new families including an HTML attachment named ‘EnvyScout’, a downloader known as ‘BoomBox,’ a loader known as ‘NativeZone’, and a shellcode downloader and launcher named ‘VaporRage.’

EnvyScout

EnvyScout represents a malicious HTML/JS file attachment used specifically in spear-phishing emails trying to steal the NTLM credentials of Windows accounts and drops a malicious ISO on a victim’s device.

EnvyScout is distributed as a file named NV.html and when opened it will attempt to load an image from a file:// URL.

As a response to this action Windows may send the logged-in user’s Windows NTLM credentials to the remote site, allowing the attackers to capture and use brute-force to reveal the plain text password.

According to Microsoft, the attachment can also be used to convert an embedded text blob into a malicious ISO saved as NV.img to the local file system.

When the ISO image is opened Windows will show the user a shortcut named NV that executes the hidden BOOM.exe.

BoomBox

The BOOM.exe file in the ISO image as ‘BoomBox,’ is used to download two encrypted malware files to the infected device from DropBox.

BoomBox works by saving the decrypted file as

 %AppData%MicrosoftNativeCacheNativeCacheSvc.dll 

and

%AppData%SystemCertificatesCertPKIProvider.dll

and then using them to execute rundll32.exe and then using them to execute rundll32.exe, with the NativeCacheSvc.dll being configured to launch automatically when a user logs into Windows and is used to launch CertPKIProvider.dll.

BoomBox malware will finally gather information about the Windows domain, encrypt the collected data, and send it to a remote server under the attacker’s control.

NativeZone

NativeCacheSvc.dll file was detected as a new malware loader called ‘NativeZone’, with the malware being dropped and configured by BoomBox to start automatically when a user logs into Windows.

When started via rundll32.exe, it will launch the CertPKIProvider.dll malware that Microsoft detects as ‘VaporRage.’

VaporRage

‘VaporRage,’ is the CertPKIProvider.dll file described in the previous NativeZone section. This malware works by connecting back to a remote command and control server, where it will register itself with the attackers and then connect back to the remote site for a shellcode to download.

As its last action, the malware will execute the shellcodes to perform malicious activities, like deploying Cobalt Strike beacons.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE