Nobelium Group is Charging Up Again with New Malware

What has happened?

• Based on the activity clusters, researchers have detected two diverse activity clusters, named UNC3004 and UNC2652. Possibly the Nobelium group (aka UNC2452) is cooperating with these two hacking groups.
• The researchers identified attempts to hijack multiple accounts within an environment, with separate functions. This way, the attackers ensured that they do not risk their entire operation in case they are exposed or spotted.

Attack methods

• In one case, the attackers targeted a local VPN account and used that account to carry out reconnaissance and obtained access to internal resources of the victim CSP's environment.
• In another instance, the group had used a password-stealing malware, CRYPTBOT, to steal valid session tokens, which are used to authenticate to the victim's Microsoft 365 environment.

Additional insights 

• Additionally, the group used the protocols mostly to perform reconnaissance, distribute Cobalt Strike beacons, and run native Windows commands for credential harvesting.
• It had used residential IP addresses (proxies), TOR, VPS, and VPN to access the victim's environment. 
• At last, the group had used genuine Azure-hosted systems using IP addresses related to the victim's network to make the detection and analysis of malicious activities harder.

Use of new custom malware 

• The group used Ceeloader malware written in C, which supports the execution of shellcode payloads inside the memory.  
• Additionally, some compromised WordPress sites hosting second-stage payloads were launched into memory by using Ceeloader.

Ending notes