The NOBELIUM group is also known as APT29. NOBELIUM has generally targeted government institutions, non-governmental organizations, think tanks, the military, IT service providers, R&D companies working in the healthcare field, and telecommunication providers in its attacks so far.
It has been observed that the NOBELIUM group has been using Spear Phishing techniques intensively since the SolarWinds attack. One of these techniques is HTML Smuggling. Using this technique, attackers bypass the target organization’s (if any) email-based antivirus software. It transmits an unsuspecting simple HTML file as an attached file to target users, allowing the Malware to spread. The name given by Microsoft to this attack technique performed by NOBELIUM is EnvyScout.
Example HTML Smuggling Attack
As a result of our analysis, it has been observed that an attack was carried out on the Turkish and Iranian Embassies and defense industry organizations using this attack technique. There is ISO data in an encoded form in the HTML file included in the attached file. After double-clicking on the HTML, this data is decoded and downloaded to the target system. If the target user opens the ISO file containing Malware and clicks on the Covid.HTA file in it, Cobalt Strike Malware will run as a file on the system with the help of Powershell. Thus, attackers gain remote control over target systems.
EnvyScout HTML Smuggling
Below you can see the content of the e-mail sent to the Embassies by the NOBEULIM group. This HTML file is a phishing script containing the EnvyScout Malware. Attackers frequently use processes such as COVID-19 in Phsihing attacks.
HTML file sent to Iranian Embassy HTML file sent to the Turkish Embassy
A malware named Covid.iso, which is stored in the HTML file encoded with Base64, has been detected. As soon as the target user clicks on the HTML file, EnvyScout downloads the Covid.iso file (without internet connection) to the target system with the HTML Smuggling technique.
Covid.iso
Instead of sending the malicious Covid.iso directly as an attached file, attackers hide it in HTML format with the help of JavaScript to bypass security systems and not attract attention. This attack technique has started to be used very frequently today.
base64_encrypt
The text data shown in green in the picture above includes the Covid.iso file encoded with Base64. The Download function decodes this data using JavaScript and downloads it to the target system with the ISO format and filename shown in red at the bottom.
Malicious in ISO Format
The biggest reason for keeping ISO file in malware with HTML Smuggling is to bypass EDR / Antivirus solutions and to trick the unconscious user and run the malware in the system without attracting attention.
covid.hta Covid iso properties
The use of HTA, classified as Living Off the Land Binaries (LOLBIN), is a rapidly growing technique today to run malware on target systems without being caught. In order to bypass EDR solutions in particular, Shellcode execution is done by executing Powershell commands via mshta.exe without writing data to the disk.
Covid.hta codes
Attackers write Shellcode data encoded with Base64 on the Registry with the help of JavaScript code. This data is used by Powershell to run Cobalt Strike Malware inside the system. After the Malware (Shellcode) runs with Powershell, it automatically self-destructs from within the system to complicate the analysis.
Covid script
As a result of our analysis, the Powershell code that was encoded with Base64 in the P1 and P2 div tags was decoded. When the opened data was analyzed, it was seen that 2 new values were written on the Registry named “HKCU\SOFTWARE\JavaSoft\Ver2” and “HKCU\SOFTWARE\JavaSoft\Ver”. It has been determined that the written values are the Shellcode in the P2 div tag.
Base64 Encoded P2 value
Examining the decoded P2 String data, it is determined that it contains PE executables such as .text, .rdata, .data. Thus, the malware that the NOBEULIUM group wanted to run on the system as the final stage was revealed.
Encode Data
Attackers heavily use Powershell for many operations such as opening obfuscated data, writing values on Registry and running Shellcode. Thus, Malware can be run without writing data to the disk.
The Shellcode value written on the Registry with the help of Covid.HTA was executed with Powershell as seen in the picture. The attackers got Inital Access on the target system via Cobalt Strike.
After the Shellcode data written on the Registry is read with Powershell and executed with the Windows API VirtualAlloc, it is automatically deleted. Shellcode Loader was detected when the P1 div tag in the Covid.HTA file was decoded.
Remove-ItemProperty HKCU:\\SOFTWARE\\JavaSoft
As seen on the Process Tree, the infection chain first started with mshta.exe:
Process
The attacker’s communication with C2 is made via HTTPS on port 443:
When we continue the analysis over Memory, Command and Control and Beacon.dll used by the attacker appear in string format.
Output of Beacon.dll data in string format on Memory indicates that the analyzed malware is Cobalt Strike variant.
In order to retrieve the Shellcode data from the Registry before it is deleted, the Remove-ItemProperty in the Covid.HTA code was deleted and the Malware was run again. Thus, the Shellcode data is received in Base64 format from the Registry.
The Shellcode, which was extracted from the Registry and decoded for detailed analysis, was converted in DLL format and by applying Reverse Engineering techniques, it was confirmed that the pest uses Cobalt Strike.
By disassembly on IDA, it has been determined that the APIs used by the DLL file are used to communicate with the Cobalt Strike Server and to run the Shellcode data stored as encrypted on the Memory.
Entry Point Data Used by the Malware:
The purpose of ReflectiveLoader(x) is to run Malware from within Memory
DLLEntryPoint() is where the Cobalt Strike Malware starts working.
Cobalt Strike Config data Encrypted with XOR has been decoded. The config data gives us the details of the connection established with the attacker’s C2 server. It has been determined that the Shellcode Loader technique is NativeZone belonging to the APT29 group.
When the connection with the attacker’s Cobalt Strike Server was examined, it was determined that Nginx Malleable C2 was used. Malleable is one of the most important features of the C2 Cobalt Strike Pest. With this method, attackers can bypass IPS and IDS systems in internal networks. It can receive Reverse Shell over port 443.
cs2nginx -> https://github.com/threatexpress/cs2modrewrite/blob/master/cs2nginx.py
Domains:
midcitylanews[.]com
crochetnews[.]com
dom-news[.]com
readnewshot[.]com
pharaosjournal[.]com
bfilmnews[.]com
theanalyticsnews[.]com
galatinonews[.]com
muslimnewsdaily[.]com
e999467bfc36d775dcad4207f56993f1
054940ba8908b9e11f57ee081d1140cb
b84c00ae9e7f9684b36d75a1a09f8210
3d18bc4bfe1ec7b6b73a3fb39d490b64
b87073c34a910f20a83c04c8efbd4f43
d4fdf63d88da2d59569bb621b18bf5e4
41dd8cee47c036e7e9e92c395c5d1feb
b7ca8c46dc1bfc1d9cb9ce04a4928153
cc08a6df151b8879a4969b2e99086b48
4365057ef0c5a9518d95d53eab5995a8
Tactics, Techniques and Procedures (TTPs)
T1566.001 – Phishing: Spearphishing Attachment
T1566.003 – Phishing: Spearphishing via Service
T1059.001 – Command and Scripting Interpreter: PowerShell
T1204.002 – User Execution: Malicious File
T1027.006 – Obfuscated Files or Information: HTML Smuggling
T1071.001 – Application Layer Protocol: Web Protocols
T1218.005 – Signed Binary Proxy Execution: Mshta
EnvyScout – https://attack.mitre.org/software/S0634/
NativeZone – https://attack.mitre.org/software/S0637/
rule apt_nobelium_powsershell_reg_loader_decoded {
meta:
id = “c8ee9c40-fa28-4b9a-98e8-88ccc4a16091“
description = “Matches the decoded version of the Powershell loader stored in the registry“
version = “1.0“
creation_date = “2021-12-07“
modification_date = “2021-12-07“
classification = “TLP:WHITE“
source=“SEKOIA“
strings:
$x = “FromBase64String((gp HKCU:\\\\SOFTWARE\\\\“
$y = “Remove-ItemProperty HKCU:\\\\SOFTWARE\\\\“
$z = “Invoke([IntPtr]::Zero)“
condition:
filesize < 3KB and
$x and #y == 2 and
$z at (filesize-22)
}
}
rule apt_nobelium_hta_reg_dropper {
meta:
id = “9f6a2154-c33a-4c38-9667-7479bf49c310“
description = “Matches HTA dropper file used by NOBELIUM and ISO files containing it“
hash = “054940ba8908b9e11f57ee081d1140cb“
hash = “b7ca8c46dc1bfc1d9cb9ce04a4928153“
version = “1.0“
creation_date = “2021-12-07”
modification_date = “2021-12-07“
classification = “TLP:WHITE“
source=“SEKOIA“
strings:
$w = “RegWrite(“ nocase
$x = { 2b 3d 20 64 6f 63 75 6d
65 6e 74 2e 67 65 74 45
6c 65 6d 65 6e 74 42 79
49 64 28 22 [0-4] 22 29
2e 69 6e 6e 65 72 48 54
4d 4c }
$y = “<body onload=“ nocase
$z = “hidden“ nocase
condition:
$y and
(3 < #z) and
(3 < #x) and
(1 < #w)
}
rule apt_nobelium_hta_in_iso {
meta:
id = “874ab41b-5c60-4303-8776-e1c10313a401“
description = “Matches ISO file embedding HTA“
hash = “d4fdf63d88da2d59569bb621b18bf5e4“
hash = “cc08a6df151b8879a4969b2e99086b48“
version = “1.0“
creation_date = “2021-12-02”
modification_date = “2021-12-02“
classification = “TLP:WHITE“
source=“SEKOIA“
strings:
$ = “ImgBurn v2“
$ = “<hta:application“
condition:
all of them and
filesize > 1MB and
filesize < 3MB
}
rule apt_nobelium_html_smuggling_iso {
meta:
id = “9bd5b626-8ea3-4607-a858-58deff18396c“
version = “1.0“
description = “Detect HTML smuggling with ISO“
hash = “b87073c34a910f20a83c04c8efbd4f43”
hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“
source = “SEKOIA“
creation_date = “2022-01-02”
modification_date = “2022-01-02“
classification = “TLP:WHITE“
strings:
$ = “new Blob“
$ = “.click();“
$ = { 28 [1-20] 2c 22 [1-20]
2e 69 73 6f 22 2c 22 61
70 70 6c 69 63 61 74 69
6f 6e 2f 78 2d 63 64 2d
69 6d 61 67 65 22 29 }
condition:
filesize > 1MB and filesize < 2MB and all of them
}
rule apt_nobelium_b64_to_Uint8Array {
meta:
id = “66c9b00b-f021-4115-b9ec-d1e1f491ce72“
description = “Detect Base64 decode to Uint8Array used in NOBELIUM HTML files“
hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“
version = “1.0“
creation_date = “2021-12-02”
modification_date = “2021-12-02“
classification = “TLP:WHITE“
source=“SEKOIA“
strings:
$a1 = “atob(“
$l0 = { 20 3c 20 [2-10] 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b }
$l1 = { 5b 69 5d 20 3d 20 [2-10] 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 3b }
$a2 = “new Uint8Array“
condition:
$l0 in (@a1..@a2) and
$l1 in (@a1..@a2) and
filesize > 1MB and filesize < 3MB
}
import “pe“
rule apt_nobelium_cs_loader_obfuscation {
meta:
id = “5f21b031-3dc1-4dad-b775-6099bfcb0472“
version = “1.0“
description = “Detect obfuscated CobaltStrike loaders used by NOBELIUM”
hash = “41dd8cee47c036e7e9e92c395c5d1feb“
hash = “4365057ef0c5a9518d95d53eab5995a8“
source = “SEKOIA“
creation_date = “2022-01-04“
modification_date = “2022-01-04“
classification = “TLP:WHITE“
strings:
$j1 = { DD 05 ?? ?? ?? ?? DD 9D }
$j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 }
$c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF }
condition:
pe.characteristics & pe.DLL and
pe.number_of_exports > 20 and
filesize > 300KB and filesize < 400KB and
#j1 > 50 and #j2 > 50 and #c1 == 2
}
id: d9114938-6877-48d8-a785-bc07cb7220ff
title: PowerShell invoking in the command line a registry value to execute.
description: Detects a d9114938 execution which grabs a value in the windows registry to execute it.
references:
– b84c00ae9e7f9684b36d75a1a09f8210
– 054940ba8908b9e11f57ee081d1140cb
status: experimental
author: ‘SEKOIA.IO’
date: 2022/01/03
tags:
– attack.T1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: ‘powershell’
CommandLine|contains: ‘HKCU’
selection2:
CommandLine|contains:
– ‘invoke-expression’
– ‘iex’
CommandLine|contains2:
– ‘gp’
– ‘Get-ItemProperty’
condition: selection and selection2
level: medium
title: MSHTA Spawning Windows Shell
id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
status: test
description: Detects a Windows command line executable started from MSHTA
author: Michael Haag
references:
– https://www.trustedsec.com/july-2015/malicious-htas/
date: 2019/01/16
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: ‘\mshta.exe’
selection2:
– Image|endswith:
– ‘\cmd.exe’
– ‘\powershell.exe’
– ‘\wscript.exe’
– ‘\cscript.exe’
– ‘\sh.exe’
– ‘\bash.exe’
– ‘\reg.exe’
– ‘\regsvr32.exe’
– Image|contains:
– ‘\BITSADMIN’
condition: selection and selection2
fields:
– CommandLine
– ParentCommandLine
falsepositives:
– Printer software / driver installations
– HP software
level: high
tags:
– attack.defense_evasion
– attack.t1170 # an old one
– attack.t1218.005
– car.2013-02-003
– car.2013-03-001
– car.2014-04-003
