Discover and read the best of Twitter Threads about #nobelium
Most recents (4)
#Russia|n hackers behind the massive #SolarWinds hack are at it again - targeting +140 tech service providers since May, per @Microsoft's @TomBurt45
"To date we believe as many as 14 of these resellers & service providers have been compromised"
blogs.microsoft.com/on-the-issues/…
"To date we believe as many as 14 of these resellers & service providers have been compromised"
blogs.microsoft.com/on-the-issues/…
The #Russia|n hackers are "attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain" per @Microsoft's @TomBurt45
The #Russia|n group, aka #Nobelium, "ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems & more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers" per @Microsoft
Today we are releasing a new blog and technical information regarding TTPs & new malware families observed during previously disclosed #NOBELIUM phishing campaigns we have observed/tracked since as early as Jan 2021.
microsoft.com/security/blog/…
Thread on the new families & TTPs ⬇️
microsoft.com/security/blog/…
Thread on the new families & TTPs ⬇️
Notable new malware families:
#EnvyScout: HTML/JS dropper, drops a next-stage ISO file
#BoomBox: Downloader, downloads #VaporRage and #NativeZone from Dropbox
#VaporRage: Shellcode downloader
#NativeZone: Loader observed to load VaprorRage and Cobalt Strike stage shellcode
#EnvyScout: HTML/JS dropper, drops a next-stage ISO file
#BoomBox: Downloader, downloads #VaporRage and #NativeZone from Dropbox
#VaporRage: Shellcode downloader
#NativeZone: Loader observed to load VaprorRage and Cobalt Strike stage shellcode
#EnvyScout de-obfuscates an embedded ISO file & uses code from FileServer JS to save the ISO to disk. It contains potential tracking & credential-harvesting URLs. Some variants of EnvyScout contain execution guardrails that utilize recon data previously collected by Firebase JS. 
🚨BREAKING: hackers linked to #Russian🇷🇺intel have breached @USAID’s @ConstantContact account in an ONGOING ATTACK to send spearphishing emails to >3,000 accounts at >150 organizations—many such groups have been critical of Putin’s human rights violations.
nytimes.com/2021/05/28/us/…
nytimes.com/2021/05/28/us/…
Microsoft says #Nobelium is behind the attack—the same #Russian🇷🇺hackers behind the #SolarWinds hack that was the work of the SVR, a spinoff from the KGB.
The SVR was behind the hack of the @DNC in 2016, and attacks on the Pentagon, the WH email system and the State Department🤬
The SVR was behind the hack of the @DNC in 2016, and attacks on the Pentagon, the WH email system and the State Department🤬
#Russia’s🇷🇺latest cyberattack began after @POTUS imposed new sanctions on #Russian individuals and assets for the #SolarWinds cyberattack—including restrictions on purchasing #Russia’s sovereign debt, making it more difficult for Russia to raise money & support its currency.
#GoldMax (aka #SUNSHUTTLE) is a new and capable backdoor written in Go/Golang. It is typically used as a late-stage (e.g. 3+) backdoor brought into an environment using access enabled via #TEARDROP, #RainDrop and other related malware deployed by #NOBELIUM/UNC2452.
#GoldMax creates & maintains a config file (name unique to each implant). The config file is AES-256 encrypted (unique-to-each-implant key) & then Base64 encoded (custom alphabet, '=' replaced with null). A handy C2 command allows the operators to update certain config fields.
