Today we are releasing a new blog and technical information regarding TTPs & new malware families observed during previously disclosed #NOBELIUM phishing campaigns we have observed/tracked since as early as Jan 2021.

microsoft.com/security/blog/…

Thread on the new families & TTPs ⬇️ Notable new malware families:

#EnvyScout: HTML/JS dropper, drops a next-stage ISO file

#BoomBox: Downloader, downloads #VaporRage and #NativeZone from Dropbox

#VaporRage: Shellcode downloader

#NativeZone: Loader observed to load VaprorRage and Cobalt Strike stage shellcode

Thread on #NOBELIUM's new malware families: #GoldMax (aka #SUNSHUTTLE), #GoldFinder, and #Sibot 👇

https://twitter.com/MalwareRE/status/1367521323531046916

#GoldMax (aka #SUNSHUTTLE) is a new and capable backdoor written in Go/Golang. It is typically used as a late-stage (e.g. 3+) backdoor brought into an environment using access enabled via #TEARDROP, #RainDrop and other related malware deployed by #NOBELIUM/UNC2452.

As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: microsoft.com/security/blog/… Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).