www.fortinet.com Open in urlscan Pro
3.91.211.14  Public Scan

Form analysis
1 forms found in the DOM

GET /blog/search

<form class="b3-searchbox__form" action="/blog/search" method="get">
  <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
  <button class="b3-searchbox__icon" aria-label="Search" type="submit">
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
      <path
        d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
        fill="#fff">
      </path>
    </svg>
  </button>
</form>

Text Content

Blog
 * Categories
   * Business & Technology
   * Threat Research
   * Industry Trends
   * Partners
   * Customer Stories
   * PSIRT Blogs
 * Business & Technology
 * Threat Research
 * Industry Trends
 * Partners
 * Customer Stories
 * PSIRT Blogs
 * CISO Collective
 * Subscribe





Threat Research


NOBELIUM RETURNS TO THE POLITICAL WORLD STAGE

By Fred Gutierrez | February 24, 2022


FORTIGUARD LABS RESEARCH

Affected Platforms: Windows
Impacted Users: Windows users associated with the targeted embassies
Impact: Compromised machines are under the control of the threat actor
Severity Level: Medium


Nobelium, also known as APT29 and Cozy Bear, is a highly sophisticated group of
Russian-sponsored cybercriminals. Approximately two years ago, countless system
administrators and IT teams were forced to work around the clock to address
Nobelium’s attack on SolarWinds. And last year, they similarly targeted numerous
IT supply chains in the hopes of being able to embed themselves once again deep
inside IT networks. But fast forward to today, and the Nobelium group seems to
have shifted their focus. This time, rather than targeting software solutions,
they have begun targeting embassies. While these attacks may not impact the
average Windows computer user, they do have potentially larger political
ramifications.

FortiGuard Labs has uncovered evidence that the Nobelium group is impersonating
someone associated with the Turkish embassy in targeted email-based attacks. We
will be analyzing one such attack that uses Omicron/Covid-19 as a lure. Those
working in or around embassies are urged to be extra diligent when opening
emails.

In this blog, we will highlight techniques and code reuse by Nobelium. We will
also highlight the usage of JARM, which is a widely used technology created by
Salesforce to fingerprint and track malicious servers.  

Figure 1: Embassy email

The source email address seems to be a legitimate, albeit compromised email
account of a government department focused on social affairs. In tracing this,
however, this email comes from a French-speaking country in Africa. It is
disguised as coming from a Turkish embassy and sent to a Portuguese-speaking
nation, although it is written in English.

The email itself comes with a .HTML file attachment. This file contains
malicious JavaScript designed to create an .ISO file on the user’s computer.
Figure 2 shows some similarities between a previous Nobelium attack and this
current version.

Figure 2: Malicious Javascript

The original HTML Smuggling attack conducted by Nobelium used EnvyScout to
convert a text blob into an .ISO file. EnvyScout is one of the toolsets used as
a dropper in spearphishing attacks by this APT group. As seen in Figure 2, both
samples used an application type of “x-cd-image.” This part of the attack has
changed very little. However, Figure 3 below shows the function used to create
the .ISO file has been streamlined from previous iterations.

Figure 3: ISO creation

Once the .ISO file has been created on the user’s machine, the attack requires a
user to open the file. By default, opening an .ISO file on modern versions of
Windows causes it to mount the file on the next available drive letter. Once
mounted, the files can be seen. Figure 4 below shows this part of the attack
chain.

Figure 4: Mounted ISO files

One of the previous variants of the Nobelium attack was dated almost exactly one
year prior to the current attack. Both versions contain malicious shortcuts that
point to a DLL file. In the current version, the DLL file inside the bin folder
is named “DeleteDateConnectionPosition.dll.”

In the past, one of the payloads used was a Cobalt Strike beacon, and this is
the case in this current version. Given the current political situation, it is
clearly in Russia’s best interest to know what other governments are thinking,
planning, and doing, and successful installation of a Cobalt Strike beacon
provides a foothold into the embassies they are interested in monitoring. To
achieve this objective, the shortcut launches the DLL using an export named
“DeleteDateConnectionPosition.”

Figure 5: DLL Exports

Many of the exports inside the DLL contain junk code. As such, debugging the
malware is faster than statically analyzing it. Once completed we discovered a
C2 server, as shown below.

Figure 6: Debugging the malicious DLL

According to our sources, this server is not a shared server and the IP address
only contains the sinitude[.]com domain.


JARM FINGERPRINTING

For those unfamiliar with JARM, it is a technology developed by Salesforce to
fingerprint servers for the purposes of clustering. Specifically, JARM revolves
around a server’s TLS implementation. As further explained by Salesforce, it is
not a secure crypto function, and as a result, it may produce false positives.
Nevertheless, it has been a fairly accurate way to group malicious servers into
relevant clusters.

The JARM signature for sinitude[.]com has been found on numerous servers. Many
of these servers have also acted as Cobalt Strike beacon C2 servers. During the
course of our investigation, we found that this JARM signature was also found on
C2 servers associated with the malware family BazarLoader. BazarLoader, among
other things, contains code and application guardrails that makes sure it is not
running on a Russian computer.

By looking at network traffic since the beginning of this year, we found that
several IP addresses are connected to sinitude[.]com. However, our data
indicates that only one IP address (back in January) actually created a full
connection to communicate with the C2. This IP address is located in Kharkiv,
the second largest city in Ukraine. This Kharkiv IP address itself has
communicated with unique malware families and is part of the TOR network.


CONCLUSION

In this latest attack, Nobelium has used techniques similar to those they have
used in the past. Malicious emails remain the predominant way to infiltrate
organizations, and Nobelium takes advantage of that attack vector. The biggest
difference now is the political landscape. While previous attacks carried out by
Nobelium may have been more technical in nature, this latest round has far more
consequences on the political world stage.  


FORTINET PROTECTIONS

The FortiGuard Antivirus Service detects and blocks both the .ISO and DLL files
as W64/CobaltStrike_Beacon.A!tr.

The FortiGuard Antivirus Service detects and blocks the malicious html email
attachment as JS/Agent.ONO!tr.

All relevant network IOCs are blocked by the WebFiltering client.


MITRE TTPS

 

Initial Access

Phishing: Spearphishing Attachment

T1566.001

Execution

Command and Scripting Interpreter: JavaScript

T1059.007

User Execution: Malicious File

T1204.002

Defense Evasion

Build Image on Host

T1612

Deobfuscate/Decode Files or Information

T1140

Obfuscated Files or Information: HTML Smuggling

T1027.006

Command and Control

Application Layer Protocol: Web Protocols

T1071.001

Impact

Resource Hijacking

T1496


IOCS


File IOCs

Covid.html (SHA2:
A896C2D16CADCDEDD10390C3AF3399361914DB57BDE1673E46180244E806A1D0)

Covid.iso (SHA2:
3CB0D2CFF9DB85C8E816515DDC380EA73850846317B0BB73EA6145C026276948)

DeleteDateConnectionPosition.dll (SHA2:
6EE1E629494D7B5138386D98BD718B010EE774FE4A4C9D0E069525408BB7B1F7)


Network IOCs

Sinitude[.]com

JARM Signature:  2ad2ad0002ad2ad0002ad2ad2ad2ade1a3c0d7ca6ad8388057924be83dfc6a

Learn more about FortiGuard Labs global threat intelligence and research and the
FortiGuard Security Subscriptions and Services portfolio.


Tags:

cybercrime, Cybersecurity Architect


RELATED POSTS

Industry Trends

FORTIGUARD LABS REPORTS RANSOMWARE RELENTLESS AND MORE DESTRUCTIVE



Threat Research

GUARD YOUR DRIVE FROM DRIVEGUARD: MOSES STAFF CAMPAIGNS AGAINST ISRAELI
ORGANIZATIONS SPAN SEVERAL MONTHS



Threat Research

NFT LURE USED TO DISTRIBUTE BITRAT


 * 
 * 
 * 
 * 
 * 
 * 

NEWS & ARTICLES

 * News Releases
 * News Articles
 * Trademarks

SECURITY RESEARCH

 * Threat Research
 * FortiGuard Labs
 * Threat Map
 * Threat Briefs
 * Ransomware

CONNECT WITH US

 * Blog
 * Fuse Community

COMPANY

 * About Us
 * Why Fortinet
 * Security Fabric
 * Exec Mgmt
 * Careers
 * Certifications
 * Events
 * Industry Awards

CONTACT US

 * (866) 868-3678

Copyright © 2022 Fortinet, Inc. All Rights Reserved

Terms of Services Privacy Policy | Cookie Settings


PRIVACY PREFERENCE CENTER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * PERFORMANCE COOKIES


 * FUNCTIONAL COOKIES


 * TARGETING COOKIES


YOUR PRIVACY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer. privacy policy


STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.

Cookies Details‎


PERFORMANCE COOKIES

Performance Cookies


These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.

Cookies Details‎


FUNCTIONAL COOKIES

Functional Cookies


These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

Cookies Details‎


TARGETING COOKIES

Targeting Cookies


These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They are based on uniquely identifying your
browser and internet device. If you do not allow these cookies, you will
experience less targeted advertising.

Cookies Details‎


BACK BUTTON BACK

Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label


 * 33ACROSS
   
   33ACROSS
   
   View Third Party Cookies
    * Name
      cookie name


Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All


By clicking “Accept All”, you agree to use of cookies on your device to enhance
site functionality, analyze site usage, and assist in our marketing efforts. The
Cookies Settings link has cookie-specific detail and preference options. privacy
policy

Cookies Settings Accept All



"