NOBELIUM APT29 – EnvyScout

Summary of Analysis

The NOBELIUM group is also known as APT29. NOBELIUM has generally targeted government institutions, non-governmental organizations, think tanks, the military, IT service providers, R&D companies working in the healthcare field, and telecommunication providers in its attacks so far.

It has been observed that the NOBELIUM group has been using Spear Phishing techniques intensively since the SolarWinds attack. One of these techniques is HTML Smuggling. Using this technique, attackers bypass the target organization’s (if any) email-based antivirus software. It transmits an unsuspecting simple HTML file as an attached file to target users, allowing the Malware to spread. The name given by Microsoft to this attack technique performed by NOBELIUM is EnvyScout.

Example HTML Smuggling Attack
Example HTML Smuggling Attack

As a result of our analysis, it has been observed that an attack was carried out on the Turkish and Iranian Embassies and defense industry organizations using this attack technique. There is ISO data in an encoded form in the HTML file included in the attached file. After double-clicking on the HTML, this data is decoded and downloaded to the target system. If the target user opens the ISO file containing Malware and clicks on the Covid.HTA file in it, Cobalt Strike Malware will run as a file on the system with the help of Powershell. Thus, attackers gain remote control over target systems.

Technical Analysis

Cobalt Strike Beacon Shellcode Loader

 

EnvyScout HTML Smuggling

Below you can see the content of the e-mail sent to the Embassies by the NOBEULIM group. This HTML file is a phishing script containing the EnvyScout Malware. Attackers frequently use processes such as COVID-19 in Phsihing attacks.

HTML file sent to Iranian Embassy
HTML file sent to Iranian Embassy
HTML file sent to the Turkish Embassy
HTML file sent to the Turkish Embassy

A malware named Covid.iso, which is stored in the HTML file encoded with Base64, has been detected. As soon as the target user clicks on the HTML file, EnvyScout downloads the Covid.iso file (without internet connection) to the target system with the HTML Smuggling technique.

Covid.iso
Covid.iso

Instead of sending the malicious Covid.iso directly as an attached file, attackers hide it in HTML format with the help of JavaScript to bypass security systems and not attract attention. This attack technique has started to be used very frequently today.

base64_encrypt
base64_encrypt

The text data shown in green in the picture above includes the Covid.iso file encoded with Base64. The Download function decodes this data using JavaScript and downloads it to the target system with the ISO format and filename shown in red at the bottom.

Malicious in ISO Format

The biggest reason for keeping ISO file in malware with HTML Smuggling is to bypass EDR / Antivirus solutions and to trick the unconscious user and run the malware in the system without attracting attention.

covid.hta
covid.hta
Covid iso properties
Covid iso properties

Covid.HTA – Mshta LOLBIN Analysis

The use of HTA, classified as Living Off the Land Binaries (LOLBIN), is a rapidly growing technique today to run malware on target systems without being caught. In order to bypass EDR solutions in particular, Shellcode execution is done by executing Powershell commands via mshta.exe without writing data to the disk.

Covid.hta codes
Covid.hta codes

Attackers write Shellcode data encoded with Base64 on the Registry with the help of JavaScript code. This data is used by Powershell to run Cobalt Strike Malware inside the system. After the Malware (Shellcode) runs with Powershell, it automatically self-destructs from within the system to complicate the analysis.

Covid script
Covid script

As a result of our analysis, the Powershell code that was encoded with Base64 in the P1 and P2 div tags was decoded. When the opened data was analyzed, it was seen that 2 new values were written on the Registry named “HKCU\SOFTWARE\JavaSoft\Ver2” and “HKCU\SOFTWARE\JavaSoft\Ver”. It has been determined that the written values are the Shellcode in the P2 div tag.

Base64 Encoded P2 value
Base64 Encoded P2 value

Examining the decoded P2 String data, it is determined that it contains PE executables such as .text, .rdata, .data. Thus, the malware that the NOBEULIUM group wanted to run on the system as the final stage was revealed.

Encode Data
Encode Data

NativeZone – Powershell Shellcode Execution Analysis

Attackers heavily use Powershell for many operations such as opening obfuscated data, writing values on Registry and running Shellcode. Thus, Malware can be run without writing data to the disk.

The Shellcode value written on the Registry with the help of Covid.HTA was executed with Powershell as seen in the picture. The attackers got Inital Access on the target system via Cobalt Strike.

After the Shellcode data written on the Registry is read with Powershell and executed with the Windows API VirtualAlloc, it is automatically deleted. Shellcode Loader was detected when the P1 div tag in the Covid.HTA file was decoded.

Remove-ItemProperty HKCU:\\SOFTWARE\\JavaSoft
Remove-ItemProperty HKCU:\\SOFTWARE\\JavaSoft

As seen on the Process Tree, the infection chain first started with mshta.exe:

Process
Process

The attacker’s communication with C2 is made via HTTPS on port 443:

Powershell.exe

When we continue the analysis over Memory, Command and Control and Beacon.dll used by the attacker appear in string format.

Output of Beacon.dll data in string format on Memory indicates that the analyzed malware is Cobalt Strike variant.

In order to retrieve the Shellcode data from the Registry before it is deleted, the Remove-ItemProperty in the Covid.HTA code was deleted and the Malware was run again. Thus, the Shellcode data is received in Base64 format from the Registry.

 

NativeZone – Shellcode Analysis and Cobalt Strike Config Data

The Shellcode, which was extracted from the Registry and decoded for detailed analysis, was converted in DLL format and by applying Reverse Engineering techniques, it was confirmed that the pest uses Cobalt Strike.

By disassembly on IDA, it has been determined that the APIs used by the DLL file are used to communicate with the Cobalt Strike Server and to run the Shellcode data stored as encrypted on the Memory.

Entry Point Data Used by the Malware:

The purpose of ReflectiveLoader(x) is to run Malware from within Memory

DLLEntryPoint() is where the Cobalt Strike Malware starts working.

Cobalt Strike Config data Encrypted with XOR has been decoded. The config data gives us the details of the connection established with the attacker’s C2 server. It has been determined that the Shellcode Loader technique is NativeZone belonging to the APT29 group.

When the connection with the attacker’s Cobalt Strike Server was examined, it was determined that Nginx Malleable C2 was used. Malleable is one of the most important features of the C2 Cobalt Strike Pest. With this method, attackers can bypass IPS and IDS systems in internal networks. It can receive Reverse Shell over port 443.

cs2nginx -> https://github.com/threatexpress/cs2modrewrite/blob/master/cs2nginx.py

 

IOC Data

Domains:

midcitylanews[.]com
crochetnews[.]com
dom-news[.]com
readnewshot[.]com
pharaosjournal[.]com
bfilmnews[.]com
theanalyticsnews[.]com
galatinonews[.]com
muslimnewsdaily[.]com

MD5 Hash Data:

e999467bfc36d775dcad4207f56993f1
054940ba8908b9e11f57ee081d1140cb
b84c00ae9e7f9684b36d75a1a09f8210
3d18bc4bfe1ec7b6b73a3fb39d490b64
b87073c34a910f20a83c04c8efbd4f43
d4fdf63d88da2d59569bb621b18bf5e4
41dd8cee47c036e7e9e92c395c5d1feb
b7ca8c46dc1bfc1d9cb9ce04a4928153
cc08a6df151b8879a4969b2e99086b48
4365057ef0c5a9518d95d53eab5995a8

Tactics, Techniques and Procedures (TTPs)

T1566.001 – Phishing: Spearphishing Attachment
T1566.003 – Phishing: Spearphishing via Service
T1059.001 – Command and Scripting Interpreter: PowerShell
T1204.002 – User Execution: Malicious File
T1027.006 – Obfuscated Files or Information: HTML Smuggling
T1071.001 – Application Layer Protocol: Web Protocols
T1218.005 – Signed Binary Proxy Execution: Mshta

EnvyScout – https://attack.mitre.org/software/S0634/

NativeZone – https://attack.mitre.org/software/S0637/

 

Short Term Action Plan to Be Taken

  • If there is no SIEM, the controls of the relevant IOC, C2 addresses must be carried out on the systems that control the traffic at the Firewall and network perimeter layer. In addition, if traffic has occurred, performing malware analysis on the affected end-user computers and restricting access to the relevant addresses,
  • Powershell script on server systems, module logging opening, write correlation rules for APT groups’ behavior methods,
  • Performing updates on AD/EDR systems.
  • In places where there is no EDR structure, Sysmon infrastructure can be created as a temporary solution and it is recommended to create correlation rules for attack vectors in the SIEM system.
  • If there is a user with local admin rights (Administrator, or with a different name) on the end-user computers, it is recommended that the local admin user passwords on each user’s computer be managed differently, by connecting to the Microsoft LAPS service, as this user password is in the AD environment. Thanks to this method, if a pest infects the system, the horizontal progression process can be prevented.

YARA – Sigma Rules

Yara

rule apt_nobelium_powsershell_reg_loader_decoded {

  meta:
      id = “c8ee9c40-fa28-4b9a-98e8-88ccc4a16091“
      description = “Matches the decoded version of the Powershell loader stored in the registry“
      version = “1.0“
      creation_date = “2021-12-07“
      modification_date = “2021-12-07“
      classification = “TLP:WHITE“
      source=“SEKOIA“

  strings:
      $x = “FromBase64String((gp HKCU:\\\\SOFTWARE\\\\“
      $y = “Remove-ItemProperty HKCU:\\\\SOFTWARE\\\\“
       $z = “Invoke([IntPtr]::Zero)“

  condition:
      filesize < 3KB and
      $x and #y == 2 and
       $z at (filesize-22)

}
}

rule apt_nobelium_hta_reg_dropper {

   meta:
       id = “9f6a2154-c33a-4c38-9667-7479bf49c310“
       description = “Matches HTA dropper file used by NOBELIUM and ISO files containing it“
       hash = “054940ba8908b9e11f57ee081d1140cb“
       hash = “b7ca8c46dc1bfc1d9cb9ce04a4928153“
       version = “1.0“
       creation_date = “2021-12-07”
       modification_date = “2021-12-07“
       classification = “TLP:WHITE“
       source=“SEKOIA“

   strings:
       $w = “RegWrite(“ nocase
       $x = { 2b 3d 20 64 6f 63 75 6d
               65 6e 74 2e 67 65 74 45
               6c 65 6d 65 6e 74 42 79
               49 64 28 22 [0-4] 22 29
               2e 69 6e 6e 65 72 48 54
               4d 4c }

       $y = “<body onload=“ nocase
       $z = “hidden“ nocase

condition:
       $y and
       (3 < #z) and
       (3 < #x) and
       (1 < #w)
}

rule apt_nobelium_hta_in_iso {
   meta:
       id = “874ab41b-5c60-4303-8776-e1c10313a401“
       description = “Matches ISO file embedding HTA“
       hash = “d4fdf63d88da2d59569bb621b18bf5e4“
       hash = “cc08a6df151b8879a4969b2e99086b48“
       version = “1.0“
       creation_date = “2021-12-02”
       modification_date = “2021-12-02“
       classification = “TLP:WHITE“
       source=“SEKOIA“

   strings:
       $ = “ImgBurn v2“
       $ = “<hta:application“

   condition:
       all of them and

filesize > 1MB and
       filesize < 3MB

}

rule apt_nobelium_html_smuggling_iso {
   meta:
       id = “9bd5b626-8ea3-4607-a858-58deff18396c“
       version = “1.0“
       description = “Detect HTML smuggling with ISO“
       hash = “b87073c34a910f20a83c04c8efbd4f43”
       hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“
       source = “SEKOIA“
       creation_date = “2022-01-02”
       modification_date = “2022-01-02“
       classification = “TLP:WHITE“

   strings:
       $ = “new Blob“
       $ = “.click();“
       $ = { 28 [1-20] 2c 22 [1-20]
               2e 69 73 6f 22 2c 22 61
               70 70 6c 69 63 61 74 69
               6f 6e 2f 78 2d 63 64 2d
               69 6d 61 67 65 22 29 }

condition:
       filesize > 1MB and filesize < 2MB and all of them
}

rule apt_nobelium_b64_to_Uint8Array {
   meta:
       id = “66c9b00b-f021-4115-b9ec-d1e1f491ce72“
       description = “Detect Base64 decode to Uint8Array used in NOBELIUM HTML files“
       hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“
       version = “1.0“
       creation_date = “2021-12-02”
       modification_date = “2021-12-02“
       classification = “TLP:WHITE“
       source=“SEKOIA“

   strings:
       $a1 = “atob(“
       $l0 = { 20 3c 20 [2-10] 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b }
       $l1 = { 5b 69 5d 20 3d 20 [2-10] 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 3b }
       $a2 = “new Uint8Array“
   condition:
       $l0 in (@[email protected]) and
$l1 in (@[email protected]) and
       filesize > 1MB and filesize < 3MB
}

import “pe“

rule apt_nobelium_cs_loader_obfuscation {
   meta:
       id = “5f21b031-3dc1-4dad-b775-6099bfcb0472“
       version = “1.0“
       description = “Detect obfuscated CobaltStrike loaders used by NOBELIUM”  
       hash = “41dd8cee47c036e7e9e92c395c5d1feb“
       hash = “4365057ef0c5a9518d95d53eab5995a8“
       source = “SEKOIA“
       creation_date = “2022-01-04“
       modification_date = “2022-01-04“
       classification = “TLP:WHITE“
   strings:
       $j1 = { DD 05 ?? ?? ?? ?? DD 9D }
       $j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 }
       $c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF }
   condition:

pe.characteristics & pe.DLL and
       pe.number_of_exports > 20 and
       filesize > 300KB and filesize < 400KB and
       #j1 > 50 and #j2 > 50 and #c1 == 2
}

Sigma

id: d9114938-6877-48d8-a785-bc07cb7220ff
title: PowerShell invoking in the command line a registry value to execute.
description: Detects a d9114938 execution which grabs a value in the windows registry to execute it.
references:
-  b84c00ae9e7f9684b36d75a1a09f8210
-  054940ba8908b9e11f57ee081d1140cb
status: experimental
author: 'SEKOIA.IO'
date: 2022/01/03
tags:
   - attack.T1059.001
logsource:
   category: process_creation
   product: windows
detection:

selection:
       Image|contains: 'powershell'
       CommandLine|contains: 'HKCU'
   selection2:
       CommandLine|contains:
           - 'invoke-expression'
           - 'iex'

       CommandLine|contains2:
           - 'gp'
           - 'Get-ItemProperty'
   condition: selection and selection2

level: medium

Sigma 2

title: MSHTA Spawning Windows Shell
id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
status: test
description: Detects a Windows command line executable started from MSHTA
author: Michael Haag
references:
 - https://www.trustedsec.com/july-2015/malicious-htas/
date: 2019/01/16
modified: 2021/11/27

logsource:
 category: process_creation
 product: windows

detection:
 selection:
   ParentImage|endswith: '\mshta.exe'
 selection2:
   - Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
     - '\wscript.exe'
     - '\cscript.exe'
     - '\sh.exe'
     - '\bash.exe'
     - '\reg.exe'
     - '\regsvr32.exe'
   - Image|contains:
     - '\BITSADMIN'

 condition: selection and selection2

fields:
 - CommandLine
 - ParentCommandLine

falsepositives:
 - Printer software / driver installations
 - HP software

level: high
tags:
 - attack.defense_evasion
 - attack.t1170            # an old one
 - attack.t1218.005
 - car.2013-02-003
 - car.2013-03-001
 - car.2014-04-003