Nobelium, the infamous hacking group known for its SolarWinds supply chain attacks, is active again, breaching government and enterprise networks around the world. It is targeting cloud and managed service providers with new custom malware Ceeloader.

What has happened?

Mandiant researchers have revealed the Tactics, Techniques, and Procedures (TTPs) used by the Nobelium hacking group, along with this new custom downloader.
  • Based on the activity clusters, researchers have detected two diverse activity clusters, named UNC3004 and UNC2652. Possibly the Nobelium group (aka UNC2452) is cooperating with these two hacking groups.
  • The researchers identified attempts to hijack multiple accounts within an environment, with separate functions. This way, the attackers ensured that they do not risk their entire operation in case they are exposed or spotted.

Attack methods

  • In one case, the attackers targeted a local VPN account and used that account to carry out reconnaissance and obtained access to internal resources of the victim CSP's environment.
  • In another instance, the group had used a password-stealing malware, CRYPTBOT, to steal valid session tokens, which are used to authenticate to the victim's Microsoft 365 environment.

Additional insights 

The group compromised privileged accounts and used scheduled tasks registration, remote WMI, SMB, and PowerShell to execute commands.
  • Additionally, the group used the protocols mostly to perform reconnaissance, distribute Cobalt Strike beacons, and run native Windows commands for credential harvesting.
  • It had used residential IP addresses (proxies), TOR, VPS, and VPN to access the victim's environment. 
  • At last, the group had used genuine Azure-hosted systems using IP addresses related to the victim's network to make the detection and analysis of malicious activities harder.

Use of new custom malware 

  • The group used Ceeloader malware written in C, which supports the execution of shellcode payloads inside the memory.  
  • Additionally, some compromised WordPress sites hosting second-stage payloads were launched into memory by using Ceeloader.

Ending notes

Mandiant’s report warns that the recent activity of Nobelium is aimed at collecting intelligence. Moreover, the group is stealing documents related to political interests in Russia. Thus, organizations and governments should be wary of the group’s activities and implement effective countermeasures.

Cyware Publisher