{"id":18355,"date":"2022-02-24T13:40:04","date_gmt":"2022-02-24T21:40:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/24\/news-12088\/"},"modified":"2022-02-24T13:40:04","modified_gmt":"2022-02-24T21:40:04","slug":"news-12088","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/24\/news-12088\/","title":{"rendered":"Nobelium Returns to the Political World Stage"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Research<\/h2>\n<p><b>Affected Platforms: <\/b>Windows<br \/> <b>Impacted Users: <\/b>Windows users associated with the targeted embassies<br \/> <b>Impact: <\/b>Compromised machines are under the control of the threat actor<br \/> <b>Severity Level: <\/b>Medium <\/p>\n<p>Nobelium, also known as APT29 and Cozy Bear, is a highly sophisticated group of Russian-sponsored cybercriminals. Approximately two years ago, countless system administrators and IT teams were forced to work around the clock to address Nobelium\u2019s attack on SolarWinds. And last year, they similarly targeted numerous IT supply chains in the hopes of being able to embed themselves once again deep inside IT networks. But fast forward to today, and the Nobelium group seems to have shifted their focus. This time, rather than targeting software solutions, they have begun targeting embassies. While these attacks may not impact the average Windows computer user, they do have potentially larger political ramifications.<\/p>\n<p>FortiGuard Labs has uncovered evidence that the Nobelium group is impersonating someone associated with the Turkish embassy in targeted email-based attacks. We will be analyzing one such attack that uses Omicron\/Covid-19 as a lure. Those working in or around embassies are urged to be extra diligent when opening emails.<\/p>\n<p> In this blog, we will highlight techniques and code reuse by Nobelium. We will also highlight the usage of JARM, which is a widely used technology created by Salesforce to fingerprint and track malicious servers.\u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nobelium-returns-to-the-political-world-stage\/_jcr_content\/root\/responsivegrid\/image.img.png\/1645729548791\/img1.png\" alt=\"Example of Embassy email lure\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Embassy email<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The source email address seems to be a legitimate, albeit compromised email account of a government department focused on social affairs. In tracing this, however, this email comes from a French-speaking country in Africa. It is disguised as coming from a Turkish embassy and sent to a Portuguese-speaking nation, although it is written in English.<\/p>\n<p>The email itself comes with a .HTML file attachment. This file contains malicious JavaScript designed to create an .ISO file on the user\u2019s computer. Figure 2 shows some similarities between a previous Nobelium attack and this current version.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nobelium-returns-to-the-political-world-stage\/_jcr_content\/root\/responsivegrid\/image_2072000706.img.png\/1645729624126\/fig2.png\" alt=\"Example of Malicious Javascript used in .HTML file attachment in Embassey email lures\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Malicious Javascript<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The original <a href=\"https:\/\/attack.mitre.org\/techniques\/T1027\/006\/\" target=\"_blank\">HTML Smuggling<\/a> attack conducted by Nobelium used EnvyScout to convert a text blob into an .ISO file. EnvyScout is one of the toolsets used as a dropper in spearphishing attacks by this APT group. As seen in Figure 2, both samples used an application type of \u201cx-cd-image.\u201d This part of the attack has changed very little. However, Figure 3 below shows the function used to create the .ISO file has been streamlined from previous iterations.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nobelium-returns-to-the-political-world-stage\/_jcr_content\/root\/responsivegrid\/image_856546370.img.png\/1645729690886\/img3.png\" alt=\"Example ISO created by HTML smuggling attack conducted by Nobelium\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: ISO creation<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Once the .ISO file has been created on the user\u2019s machine, the attack requires a user to open the file. By default, opening an .ISO file on modern versions of Windows causes it to mount the file on the next available drive letter. Once mounted, the files can be seen. Figure 4 below shows this part of the attack chain.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nobelium-returns-to-the-political-world-stage\/_jcr_content\/root\/responsivegrid\/image_1598980523.img.png\/1645729737593\/img4.png\" alt=\"Screeenshot of Mounted ISO files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Mounted ISO files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>One of the previous variants of the Nobelium attack was dated almost exactly one year prior to the current attack. Both versions contain malicious shortcuts that point to a DLL file. In the current version, the DLL file inside the bin folder is named \u201cDeleteDateConnectionPosition.dll.\u201d<\/p>\n<p>In the past, one of the payloads used was a Cobalt Strike beacon, and this is the case in this current version. Given the current political situation, it is clearly in Russia\u2019s best interest to know what other governments are thinking, planning, and doing, and successful installation of a Cobalt Strike beacon provides a foothold into the embassies they are interested in monitoring. To achieve this objective, the shortcut launches the DLL using an export named \u201cDeleteDateConnectionPosition.\u201d<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nobelium-returns-to-the-political-world-stage\/_jcr_content\/root\/responsivegrid\/image_2023479340.img.png\/1645729778783\/img5.png\" alt=\"Screenshot of list of DLL Exports\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: DLL Exports<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Many of the exports inside the DLL contain junk code. As such, debugging the malware is faster than statically analyzing it. Once completed we discovered a C2 server, as shown below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/nobelium-returns-to-the-political-world-stage\/_jcr_content\/root\/responsivegrid\/image_2108396007.img.png\/1645729830746\/img6.png\" alt=\"Example of how to debug the malicious DLL\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Debugging the malicious DLL<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>According to our sources, this server is not a shared server and the IP address only contains the sinitude[.]com domain.<\/p>\n<h2>JARM Fingerprinting<\/h2>\n<p>For those unfamiliar with <a href=\"https:\/\/engineering.salesforce.com\/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a\" target=\"_blank\">JARM<\/a>, it is a technology developed by Salesforce to fingerprint servers for the purposes of clustering. Specifically, JARM revolves around a server\u2019s TLS implementation. As further explained by Salesforce, it is not a secure crypto function, and as a result, it may produce false positives. Cybercriminals are able to misuse JARM to group malicious servers into relevant clusters.<\/p>\n<p>The JARM signature for sinitude[.]com has been found on numerous servers. Many of these servers have also acted as Cobalt Strike beacon <a href=\"https:\/\/github.com\/carbonblack\/active_c2_ioc_public\/blob\/main\/cobaltstrike\/JARM\/jarm_cs_202107_uniq_sorted.txt\" target=\"_blank\">C2 servers<\/a>. During the course of our investigation, we found that this JARM signature was also found on <a href=\"https:\/\/80vul.medium.com\/one-zoomeye-query-cleans-bazarloader-c2s-4b49a71ec10d\" target=\"_blank\">C2 servers<\/a> associated with the malware family BazarLoader. BazarLoader, among other things, contains code and application guardrails that makes sure it is not running on a Russian computer.<\/p>\n<p>By looking at network traffic since the beginning of this year, we found that several IP addresses are connected to sinitude[.]com. However, our data indicates that only one IP address (back in January) actually created a full connection to communicate with the C2. This IP address is located in Kharkiv, the second largest city in Ukraine. This Kharkiv IP address itself has communicated with unique malware families and is part of the TOR network.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this latest attack, Nobelium has used techniques similar to those they have used in the past. Malicious emails remain the predominant way to infiltrate organizations, and Nobelium takes advantage of that attack vector. The biggest difference now is the political landscape. While previous attacks carried out by Nobelium may have been more technical in nature, this latest round has far more consequences on the political world stage. \u00a0<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>The FortiGuard Antivirus Service detects and blocks both the .ISO and DLL files as W64\/CobaltStrike_Beacon.A!tr.<\/p>\n<p>The FortiGuard Antivirus Service detects and blocks the malicious html email attachment as JS\/Agent.ONO!tr.<\/p>\n<p>All relevant network IOCs are blocked by the WebFiltering client.<\/p>\n<h2>MITRE TTPs<\/h2>\n<p>\u00a0<\/p>\n<h2>IOCs<b><br \/> <\/b><\/h2>\n<p><b>File IOCs<\/b><\/p>\n<p>Covid.html (SHA2: A896C2D16CADCDEDD10390C3AF3399361914DB57BDE1673E46180244E806A1D0)<\/p>\n<p>Covid.iso (SHA2: 3CB0D2CFF9DB85C8E816515DDC380EA73850846317B0BB73EA6145C026276948)<\/p>\n<p>DeleteDateConnectionPosition.dll (SHA2: 6EE1E629494D7B5138386D98BD718B010EE774FE4A4C9D0E069525408BB7B1F7)<\/p>\n<p> <b>Network IOCs<\/b><\/p>\n<p>Sinitude[.]com<\/p>\n<p>JARM Signature:\u00a0 2ad2ad0002ad2ad0002ad2ad2ad2ade1a3c0d7ca6ad8388057924be83dfc6a<\/p>\n<p><i>Learn more about <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a> global threat intelligence and research and the <a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/fortiguard-services-bundles.html?utm_source=blog&amp;utm_campaign=fortiguard-service-bundles\">FortiGuard Security Subscriptions and Services<\/a> portfolio.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/nobelium-returns-to-the-political-world-stage\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/nobelium-returns-to-the-political-world-stage\/_jcr_content\/root\/responsivegrid\/image.img.png\/1645729548791\/img1.png\"\/><br \/>FortiGuard Labs has discovered evidence that the Nobelium Group is impersonating someone associated with the Turkish embassy as a lure to introduce a Cobalt Strike beacon payload and gain access. Read our blog to learn more.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18355","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18355"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18355\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18355"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}