NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Tags
Common Information
| Type | Value |
|---|---|
| UUID | e5d3b414-a233-41cb-bfd6-141234e6af6e |
| Fingerprint | a6325a7f01cfa43b |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Jan. 6, 2022, 1:30 p.m. |
| Added to db | Sept. 11, 2022, 12:36 p.m. |
| Last updated | Nov. 17, 2024, 6:56 p.m. |
| Headline | NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies |
| Title | NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies |
| Detected Hints/Tags/Attributes | 114/4/76 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | midcitylanews.com |
|
| Details | Domain | 2 | dom-news.com |
|
| Details | Domain | 118 | sekoia.io |
|
| Details | Domain | 18 | www.github.com |
|
| Details | Domain | 2 | crochetnews.com |
|
| Details | Domain | 1 | readnewshot.com |
|
| Details | Domain | 2 | pharaosjournal.com |
|
| Details | Domain | 2 | bfilmnews.com |
|
| Details | Domain | 2 | theanalyticsnews.com |
|
| Details | Domain | 2 | galatinonews.com |
|
| Details | Domain | 1 | muslimnewsdaily.com |
|
| Details | Domain | 1 | updates.uk.com |
|
| Details | Domain | 2 | onlinebusinessadviceuk.com |
|
| Details | Domain | 1 | assets.completehealthcareuk.net |
|
| Details | Domain | 2 | d2rwiki.net |
|
| Details | Domain | 1 | taiwancht.com |
|
| Details | Domain | 2 | herosofthestorms.com |
|
| Details | Domain | 1 | note.legendsec.net |
|
| Details | Domain | 2 | faststartbusiness.com |
|
| Details | Domain | 1 | msdnsvc.com |
|
| Details | Domain | 1 | assets.bettendorfhealthcare.com |
|
| Details | Domain | 2 | eblogpro.com |
|
| Details | Domain | 1 | getdsoft.com |
|
| Details | Domain | 2 | themobilecard.com |
|
| Details | Domain | 1 | solutions.support |
|
| Details | Domain | 1 | managernent.com |
|
| Details | Domain | 1 | img.microsoftupdate.cc |
|
| Details | Domain | 1 | windows.msgetupdate.com |
|
| Details | Domain | 1 | fwd.splunk.eu.com |
|
| Details | Domain | 1 | file.updateswindows.com |
|
| Details | Domain | 20 | 1768.py |
|
| Details | File | 1 | windows.msg |
|
| Details | File | 12 | pe.dll |
|
| Details | File | 17 | 1768.py |
|
| Details | File | 9 | %windir%\\syswow64\\dllhost.exe |
|
| Details | File | 9 | %windir%\\sysnative\\dllhost.exe |
|
| Details | File | 2 | rkernel32.dll |
|
| Details | Github username | 8 | sekoia-io |
|
| Details | md5 | 1 | 3d18bc4bfe1ec7b6b73a3fb39d490b64 |
|
| Details | md5 | 2 | 32e0940e1715392280d4bdb514d9cf11 |
|
| Details | md5 | 1 | b87073c34a910f20a83c04c8efbd4f43 |
|
| Details | md5 | 1 | b84c00ae9e7f9684b36d75a1a09f8210 |
|
| Details | md5 | 1 | 054940ba8908b9e11f57ee081d1140cb |
|
| Details | md5 | 1 | d4fdf63d88da2d59569bb621b18bf5e4 |
|
| Details | md5 | 1 | 41dd8cee47c036e7e9e92c395c5d1feb |
|
| Details | md5 | 1 | b7ca8c46dc1bfc1d9cb9ce04a4928153 |
|
| Details | md5 | 1 | cc08a6df151b8879a4969b2e99086b48 |
|
| Details | md5 | 1 | 4365057ef0c5a9518d95d53eab5995a8 |
|
| Details | IPv4 | 2 | 31.42.177.78 |
|
| Details | IPv4 | 1 | 158.255.211.40 |
|
| Details | IPv4 | 1 | 45.14.70.186 |
|
| Details | IPv4 | 1 | 46.102.152.118 |
|
| Details | IPv4 | 2 | 139.99.178.56 |
|
| Details | IPv4 | 1 | 95.183.51.161 |
|
| Details | IPv4 | 1 | 195.144.21.159 |
|
| Details | IPv4 | 2 | 103.232.53.230 |
|
| Details | IPv4 | 1 | 194.62.42.109 |
|
| Details | MITRE ATT&CK Techniques | 82 | T1583.001 |
|
| Details | MITRE ATT&CK Techniques | 62 | T1583.003 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1566.001 |
|
| Details | MITRE ATT&CK Techniques | 22 | T1566.003 |
|
| Details | MITRE ATT&CK Techniques | 460 | T1059.001 |
|
| Details | MITRE ATT&CK Techniques | 365 | T1204.002 |
|
| Details | MITRE ATT&CK Techniques | 23 | T1027.006 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | Threat Actor Identifier - APT | 665 | APT29 |
|
| Details | Url | 1 | https://www.github.com/sekoia-io/community/tree/main/iocs |
|
| Details | Windows Registry Key | 1 | HKCU\SOFTWARE\MSOffice\Version |
|
| Details | Windows Registry Key | 1 | HKCU\SOFTWARE\MSOffice\path |
|
| Details | Windows Registry Key | 1 | HKCU\SOFTWARE\JavaSoft\Ver |
|
| Details | Windows Registry Key | 1 | HKCU\SOFTWARE\JavaSoft\Ver2 |
|
| Details | Yara rule | 1 | rule apt_nobelium_hta_reg_dropper {
meta:
id = "9f6a2154-c33a-4c38-9667-7479bf49c310"
description = "Matches HTA dropper file used by NOBELIUM and ISO files containing it"
hash = "054940ba8908b9e11f57ee081d1140cb"
hash = "b7ca8c46dc1bfc1d9cb9ce04a4928153"
version = "1.0"
creation_date = "2021-12-07"
modification_date = "2021-12-07"
classification = "TLP:WHITE"
source = "SEKOIA"
strings:
$w = "RegWrite(" nocase
$x = { 2B 3D 20 64 6F 63 75 6D 65 6E 74 2E 67 65 74 45 6C 65 6D 65 6E 74 42 79 49 64 28 22 [0-4] 22 29 2E 69 6E 6E 65 72 48 54 4D 4C }
$y = "<body onload=" nocase
$z = "hidden" nocase
condition:
$y and (3 < #z) and (3 < #x) and (1 < #w)
} |
|
| Details | Yara rule | 1 | rule apt_nobelium_hta_in_iso {
meta:
id = "874ab41b-5c60-4303-8776-e1c10313a401"
description = "Matches ISO file embedding HTA"
hash = "d4fdf63d88da2d59569bb621b18bf5e4"
hash = "cc08a6df151b8879a4969b2e99086b48"
version = "1.0"
creation_date = "2021-12-02"
modification_date = "2021-12-02"
classification = "TLP:WHITE"
source = "SEKOIA"
strings:
$ = "ImgBurn v2"
$ = "<hta:application"
condition:
all of them and filesize > 1MB and filesize < 3MB
} |
|
| Details | Yara rule | 1 | rule apt_nobelium_html_smuggling_iso {
meta:
id = "9bd5b626-8ea3-4607-a858-58deff18396c"
version = "1.0"
description = "Detect HTML smuggling with ISO"
hash = "b87073c34a910f20a83c04c8efbd4f43"
hash = "3d18bc4bfe1ec7b6b73a3fb39d490b64"
source = "SEKOIA"
creation_date = "2022-01-02"
modification_date = "2022-01-02"
classification = "TLP:WHITE"
strings:
$ = "new Blob"
$ = ".click();"
$ = { 28 [1-20] 2C 22 [1-20] 2E 69 73 6F 22 2C 22 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 63 64 2D 69 6D 61 67 65 22 29 }
condition:
filesize > 1MB and filesize < 2MB and all of them
} |
|
| Details | Yara rule | 1 | rule apt_nobelium_b64_to_Uint8Array {
meta:
id = "66c9b00b-f021-4115-b9ec-d1e1f491ce72"
description = "Detect Base64 decode to Uint8Array used in NOBELIUM HTML files"
hash = "3d18bc4bfe1ec7b6b73a3fb39d490b64"
version = "1.0"
creation_date = "2021-12-02"
modification_date = "2021-12-02"
classification = "TLP:WHITE"
source = "SEKOIA"
strings:
$a1 = "atob("
$l0 = { 20 3C 20 [2-10] 2E 6C 65 6E 67 74 68 3B 20 69 2B 2B 29 7B }
$l1 = { 5B 69 5D 20 3D 20 [2-10] 2E 63 68 61 72 43 6F 64 65 41 74 28 69 29 3B }
$a2 = "new Uint8Array"
condition:
$l0 in (@a1 .. @a2) and $l1 in (@a1 .. @a2) and filesize > 1MB and filesize < 3MB
} |
|
| Details | Yara rule | 1 | import "pe"
rule apt_nobelium_cs_loader_obfuscation {
meta:
id = "5f21b031-3dc1-4dad-b775-6099bfcb0472"
version = "1.0"
description = "Detect obfuscated CobaltStrike loaders used by NOBELIUM"
hash = "41dd8cee47c036e7e9e92c395c5d1feb"
hash = "4365057ef0c5a9518d95d53eab5995a8"
source = "SEKOIA"
creation_date = "2022-01-04"
modification_date = "2022-01-04"
classification = "TLP:WHITE"
strings:
$j1 = { DD 05 ?? ?? ?? ?? DD 9D }
$j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 }
$c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF }
condition:
pe.characteristics & pe.DLL and pe.number_of_exports > 20 and filesize > 300KB and filesize < 400KB and #j1 > 50 and #j2 > 50 and #c1 == 2
} |