The Advanced Persistent Threat (APT) actor believed to be responsible for the SolarWinds supply chain attack is continuing to conduct attacks on U.S. companies to steal data of interest to the Russian government. Researchers at Mandiant have identified a new malware downloader being used by the APT actor known as Nobelium, Cozy Bear, APT29, and UNC2452.
According to Mandiant, a new malware downloader dubbed CEELOADER is delivered using Cobalt Strike Beacon and CEELOADER downloads and decrypts a shellcode payload which is executed in the memory. The malware is known to have been used by the gang since at least the third quarter of this year.
CEELOADER appears to be a variant of the VaporRage downloader. Both share similarities, although CEELOADER uses AES-256 to encrypt payloads rather than the XOR algorithm used by VaporRage. Further, CEELOADER has been adapted to make analysis more difficult, including the incorporation of junk code; however, both malware variants serve the same purpose and act as downloaders for second-stage encrypted payloads.
Mandiant says it has identified clusters of malicious activities which are tracked as the groups UNC3004 and UNC2652, with both of those groups associated with Nobelium. The threat actor is known to have compromised technology solutions, services, and reseller companies since 2020 and has targeted multiple government and business entities globally, with the attacks believed to have been conducted on behalf of the Russian government.
The group has used compromised credentials in its attacks, most likely purchased from an initial access broker that conducts info-stealing malware campaigns and has compromised cloud service providers to attack their downstream customers. Nobelium has also been abusing MFA by leveraging push notifications on smartphones. Valid username and password combinations have been obtained but cannot by themselves be used to access accounts with MFA enabled. Nobelium has sent several requests to users’ smartphones in quick succession to get them to get the user to accept the authentication, which allows the hackers to gain access to the accounts.
Since Q1, 2021, Nobelium has used accounts with Application Impersonation privileges to harvest sensitive email data, residential IP proxy services and newly provisioned geo-located infrastructure to communicate with victims’ systems, and has developed a range of techniques to bypass security controls on victims’ systems.
Nobelium steals data of interest to the Russian government and to allow further compromises into victims’ environments. Nobelium is skilled and well resourced and a major threat to governments and organizations worldwide.
“These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead,” said Mandiant.