www.fortinet.com
Open in
urlscan Pro
3.91.211.14
Public Scan
Submitted URL: https://apps.global.fortinet.com/e/bfs?s=3049749&lguid=fce48e02a40b4260a79e3a1a33f5efc2&elqTrackId=e7aa0c29b1b9459baa5ec4408e412e...
Effective URL: https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage
Submission: On February 25 via api from CA — Scanned from CA
Effective URL: https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage
Submission: On February 25 via api from CA — Scanned from CA
Form analysis
1 forms found in the DOMGET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>
Text Content
Blog * Categories * Business & Technology * Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * Business & Technology * Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * CISO Collective * Subscribe Threat Research NOBELIUM RETURNS TO THE POLITICAL WORLD STAGE By Fred Gutierrez | February 24, 2022 FORTIGUARD LABS RESEARCH Affected Platforms: Windows Impacted Users: Windows users associated with the targeted embassies Impact: Compromised machines are under the control of the threat actor Severity Level: Medium Nobelium, also known as APT29 and Cozy Bear, is a highly sophisticated group of Russian-sponsored cybercriminals. Approximately two years ago, countless system administrators and IT teams were forced to work around the clock to address Nobelium’s attack on SolarWinds. And last year, they similarly targeted numerous IT supply chains in the hopes of being able to embed themselves once again deep inside IT networks. But fast forward to today, and the Nobelium group seems to have shifted their focus. This time, rather than targeting software solutions, they have begun targeting embassies. While these attacks may not impact the average Windows computer user, they do have potentially larger political ramifications. FortiGuard Labs has uncovered evidence that the Nobelium group is impersonating someone associated with the Turkish embassy in targeted email-based attacks. We will be analyzing one such attack that uses Omicron/Covid-19 as a lure. Those working in or around embassies are urged to be extra diligent when opening emails. In this blog, we will highlight techniques and code reuse by Nobelium. We will also highlight the usage of JARM, which is a widely used technology created by Salesforce to fingerprint and track malicious servers. Figure 1: Embassy email The source email address seems to be a legitimate, albeit compromised email account of a government department focused on social affairs. In tracing this, however, this email comes from a French-speaking country in Africa. It is disguised as coming from a Turkish embassy and sent to a Portuguese-speaking nation, although it is written in English. The email itself comes with a .HTML file attachment. This file contains malicious JavaScript designed to create an .ISO file on the user’s computer. Figure 2 shows some similarities between a previous Nobelium attack and this current version. Figure 2: Malicious Javascript The original HTML Smuggling attack conducted by Nobelium used EnvyScout to convert a text blob into an .ISO file. EnvyScout is one of the toolsets used as a dropper in spearphishing attacks by this APT group. As seen in Figure 2, both samples used an application type of “x-cd-image.” This part of the attack has changed very little. However, Figure 3 below shows the function used to create the .ISO file has been streamlined from previous iterations. Figure 3: ISO creation Once the .ISO file has been created on the user’s machine, the attack requires a user to open the file. By default, opening an .ISO file on modern versions of Windows causes it to mount the file on the next available drive letter. Once mounted, the files can be seen. Figure 4 below shows this part of the attack chain. Figure 4: Mounted ISO files One of the previous variants of the Nobelium attack was dated almost exactly one year prior to the current attack. Both versions contain malicious shortcuts that point to a DLL file. In the current version, the DLL file inside the bin folder is named “DeleteDateConnectionPosition.dll.” In the past, one of the payloads used was a Cobalt Strike beacon, and this is the case in this current version. Given the current political situation, it is clearly in Russia’s best interest to know what other governments are thinking, planning, and doing, and successful installation of a Cobalt Strike beacon provides a foothold into the embassies they are interested in monitoring. To achieve this objective, the shortcut launches the DLL using an export named “DeleteDateConnectionPosition.” Figure 5: DLL Exports Many of the exports inside the DLL contain junk code. As such, debugging the malware is faster than statically analyzing it. Once completed we discovered a C2 server, as shown below. Figure 6: Debugging the malicious DLL According to our sources, this server is not a shared server and the IP address only contains the sinitude[.]com domain. JARM FINGERPRINTING For those unfamiliar with JARM, it is a technology developed by Salesforce to fingerprint servers for the purposes of clustering. Specifically, JARM revolves around a server’s TLS implementation. As further explained by Salesforce, it is not a secure crypto function, and as a result, it may produce false positives. Nevertheless, it has been a fairly accurate way to group malicious servers into relevant clusters. The JARM signature for sinitude[.]com has been found on numerous servers. Many of these servers have also acted as Cobalt Strike beacon C2 servers. During the course of our investigation, we found that this JARM signature was also found on C2 servers associated with the malware family BazarLoader. BazarLoader, among other things, contains code and application guardrails that makes sure it is not running on a Russian computer. By looking at network traffic since the beginning of this year, we found that several IP addresses are connected to sinitude[.]com. However, our data indicates that only one IP address (back in January) actually created a full connection to communicate with the C2. This IP address is located in Kharkiv, the second largest city in Ukraine. This Kharkiv IP address itself has communicated with unique malware families and is part of the TOR network. CONCLUSION In this latest attack, Nobelium has used techniques similar to those they have used in the past. Malicious emails remain the predominant way to infiltrate organizations, and Nobelium takes advantage of that attack vector. The biggest difference now is the political landscape. While previous attacks carried out by Nobelium may have been more technical in nature, this latest round has far more consequences on the political world stage. FORTINET PROTECTIONS The FortiGuard Antivirus Service detects and blocks both the .ISO and DLL files as W64/CobaltStrike_Beacon.A!tr. The FortiGuard Antivirus Service detects and blocks the malicious html email attachment as JS/Agent.ONO!tr. All relevant network IOCs are blocked by the WebFiltering client. MITRE TTPS Initial Access Phishing: Spearphishing Attachment T1566.001 Execution Command and Scripting Interpreter: JavaScript T1059.007 User Execution: Malicious File T1204.002 Defense Evasion Build Image on Host T1612 Deobfuscate/Decode Files or Information T1140 Obfuscated Files or Information: HTML Smuggling T1027.006 Command and Control Application Layer Protocol: Web Protocols T1071.001 Impact Resource Hijacking T1496 IOCS File IOCs Covid.html (SHA2: A896C2D16CADCDEDD10390C3AF3399361914DB57BDE1673E46180244E806A1D0) Covid.iso (SHA2: 3CB0D2CFF9DB85C8E816515DDC380EA73850846317B0BB73EA6145C026276948) DeleteDateConnectionPosition.dll (SHA2: 6EE1E629494D7B5138386D98BD718B010EE774FE4A4C9D0E069525408BB7B1F7) Network IOCs Sinitude[.]com JARM Signature: 2ad2ad0002ad2ad0002ad2ad2ad2ade1a3c0d7ca6ad8388057924be83dfc6a Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio. Tags: cybercrime, Cybersecurity Architect RELATED POSTS Industry Trends FORTIGUARD LABS REPORTS RANSOMWARE RELENTLESS AND MORE DESTRUCTIVE Threat Research GUARD YOUR DRIVE FROM DRIVEGUARD: MOSES STAFF CAMPAIGNS AGAINST ISRAELI ORGANIZATIONS SPAN SEVERAL MONTHS Threat Research NFT LURE USED TO DISTRIBUTE BITRAT * * * * * * NEWS & ARTICLES * News Releases * News Articles * Trademarks SECURITY RESEARCH * Threat Research * FortiGuard Labs * Threat Map * Threat Briefs * Ransomware CONNECT WITH US * Blog * Fuse Community COMPANY * About Us * Why Fortinet * Security Fabric * Exec Mgmt * Careers * Certifications * Events * Industry Awards CONTACT US * (866) 868-3678 Copyright © 2022 Fortinet, Inc. All Rights Reserved Terms of Services Privacy Policy | Cookie Settings PRIVACY PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * FUNCTIONAL COOKIES * TARGETING COOKIES YOUR PRIVACY When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. privacy policy STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. Cookies Details PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. Cookies Details FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookies Details BACK BUTTON BACK Vendor Search Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label * 33ACROSS 33ACROSS View Third Party Cookies * Name cookie name Clear checkbox label label Apply Cancel Confirm My Choices Allow All By clicking “Accept All”, you agree to use of cookies on your device to enhance site functionality, analyze site usage, and assist in our marketing efforts. The Cookies Settings link has cookie-specific detail and preference options. privacy policy Cookies Settings Accept All "