Nobelium Activity Targets Government and Business Entities
Researchers at Mandiant are tracking a suspected Russian campaign targeting government and business entities around the globe. Mandiant reports that the activity is plausibly linked to Nobelium (APT29/Cozy Bear), the group behind the SolarWinds supply chain attack.
The alleged Nobelium campaign is a sophisticated infection chain that utilizes info-stealer malware, a novel downloader, and the abuse of Multi-Factor push notifications. As with past Nobelium campaigns, data theft appears to be the threat actors’ primary goal, specifically “data relevant to Russian interests.”
Mandiant reports that initial access for this campaign predominantly came from targeting service providers in a malspam campaign deliver Cryptbot. An info-stealer seen bundled with free “cracked” software, Cryptbot, harvests credentials and bundles them into a zip-file destined for a C2 server. Armed with credentials, threat actors have abused MFA by sending repeated requests to an authorized device until a user accepted the request.
Once the threat actor has access to the system, Cobalt Strike Beacon is used to deploy a novel malware loader called CeeLoader a scheduled task.
CeeLoader is heavily obfuscated, hiding in large blocks of junk code to evade detection. The downloader supports executing shellcode in memory and uses AES-256 to encrypt payloads, which complicates analysis.
We recommend reviewing Madiant’s whitepaper for hardening Microsoft 365 to defend from UNC2452 (Nobelium). Consider blocking C2 IP & URL addresses to prevent communication with C2 servers.
The Security Operation Center is retroactively searching client environments for IoCs and will communicate any findings. The Security On-Demand Threat Recon Unit will continue to monitor these events and will provide any critical updates as more information is provided. Please contact us if you have any questions.
Indicators of Compromise
Hashes for known malicious files