Discover and read the best of Twitter Threads about #nobelium

Most recents (3)

Today we are releasing a new blog and technical information regarding TTPs & new malware families observed during previously disclosed #NOBELIUM phishing campaigns we have observed/tracked since as early as Jan 2021.

microsoft.com/security/blog/…

Thread on the new families & TTPs ⬇️
Notable new malware families:

#EnvyScout: HTML/JS dropper, drops a next-stage ISO file

#BoomBox: Downloader, downloads #VaporRage and #NativeZone from Dropbox

#VaporRage: Shellcode downloader

#NativeZone: Loader observed to load VaprorRage and Cobalt Strike stage shellcode
#EnvyScout de-obfuscates an embedded ISO file & uses code from FileServer JS to save the ISO to disk. It contains potential tracking & credential-harvesting URLs. Some variants of EnvyScout contain execution guardrails that utilize recon data previously collected by Firebase JS.
Read 15 tweets
🚨BREAKING: hackers linked to #Russian🇷🇺intel have breached @USAID’s @ConstantContact account in an ONGOING ATTACK to send spearphishing emails to >3,000 accounts at >150 organizations—many such groups have been critical of Putin’s human rights violations.
nytimes.com/2021/05/28/us/…
Microsoft says #Nobelium is behind the attack—the same #Russian🇷🇺hackers behind the #SolarWinds hack that was the work of the SVR, a spinoff from the KGB.

The SVR was behind the hack of the @DNC in 2016, and attacks on the Pentagon, the WH email system and the State Department🤬
#Russia’s🇷🇺latest cyberattack began after @POTUS imposed new sanctions on #Russian individuals and assets for the #SolarWinds cyberattack—including restrictions on purchasing #Russia’s sovereign debt, making it more difficult for Russia to raise money & support its currency.
Read 5 tweets
#GoldMax (aka #SUNSHUTTLE) is a new and capable backdoor written in Go/Golang. It is typically used as a late-stage (e.g. 3+) backdoor brought into an environment using access enabled via #TEARDROP, #RainDrop and other related malware deployed by #NOBELIUM/UNC2452.
#GoldMax creates & maintains a config file (name unique to each implant). The config file is AES-256 encrypted (unique-to-each-implant key) & then Base64 encoded (custom alphabet, '=' replaced with null). A handy C2 command allows the operators to update certain config fields.
Read 17 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!