CEELoader added to Nobelium Arsenal

Researchers have identified two distinct clusters of activity, tracked UNC3004 and UNC2652, that were associated with the Russia-linked Nobelium APT group (aka UNC2452).

Advertisements

The NOBELIUM APT is the threat actor that conducted supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors. The Nobelium cyberspies is using a new custom downloader tracked by the researchers as CEELOADER, its a custom downloader called written in C and supports the execution of shellcode payloads in memory.An obfuscation tool has been used to hide the code in CEELOADER in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling.

Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode. The researchers noticed that the loader does not implement a persistence mechanism.

In some campaigns, the threat actor was using residential IP address ranges to authenticate to target environments. The access was likely obtained through residential and mobile IP address proxy providers.

The attacker provisioned a system within Microsoft Azure that was within close proximity to a legitimate Azure hosted system belonging to the CSP that they compromised. Using this technique, the actor was able to establish geo proximity with the victims to masquerade the source of the attack and make it as originating from within legitimate Azure IP ranges.

Researchers cannot currently attribute this activity with higher confidence, the operational security associated with this intrusion and exploitation of a third party is consistent with the tactics employed by the actors behind the SolarWinds compromise and highlights the effectiveness of leveraging third parties.