NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks

Executive Summary

  • In late May, 2021, Microsoft and Volexity released public reports detailing recent Nobelium activity.
  • Nobelium is suspected to be the new face of APT29 (aka The Dukes). We track this activity under the name ‘NobleBaron’.
  • This campaign employs a convoluted multi-stage infection chain, five to six layers deep.
  • Most custom downloaders leverage Cobalt Strike Beacon in-memory as a mechanism to drop more elusive payloads on select victims.
  • This report focuses on NobleBaron’s ‘DLL_stageless’ downloaders (aka NativeZone)
  • SentinelLabs has discovered the use of one of these DLL_stageless downloaders as part of a poisoned update installer for electronic keys used by the Ukrainian government.
  • At this time, the means of distribution are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack.
  • We uncovered additional unreported DLL_stageless downloaders.

Overview

After the extensive revelations of Russian state-sponsored cyberespionage activities over the past five years, teams like APT28 (aka FancyBear, STRONTIUM) and APT29 (aka CozyBear, The Dukes) have retooled and reorganized extensively to avoid easy tracking by Western governments and security vendors alike. The operations of ‘APT29’ no longer look anything like they did in the past half decade. At this point our preconceptions about these groups are doing more to cloud our judgment than they elucidate. Perhaps new naming conventions (like ‘NOBELIUM’ or ‘StellarParticle’) will help piece these new clusters of activity apart– all the while upsetting folks who would prefer a simpler threat landscape than the one our reality affords us.

We track this new activity under the name ‘NobleBaron’, building off of the excellent reporting by Microsoft and Volexity. We acknowledge the suspicion that this is a newer iteration of APT29 but share in the general trepidation to equate the two. While the aforementioned companies have done excellent work exposing the inner workings of this activity, we wanted to contribute additional variants we encountered in our follow-on research, including a curious particularly insidious packaging of the ‘NativeZone’ downloader as part of a poisoned installer for a Ukrainian cryptographic smartkey used in government operations.

A Convoluted Infection Chain

As noted by Microsoft, the actor appears to be experimenting with various multi-stage infection chains. Common variations include the method of delivering the ISO containers and a wide variety of custom downloaders enmeshed with Cobalt Strike Beacon. There’s a vague mention of an iOS zero-day being hosted on Nobelium fingerprinting servers but no mention as to whether this entails an iOS payload. That said, we also suspect no company is in a position to monitor iPhone endpoints for these payloads, Apple included.

While the Cobalt Strike Beacon payload is a disappointingly ubiquitous end for such a convoluted infection chain, it’s not in fact the end of that chain. Rather, it serves as an early scout that enables selective distribution of rarer payloads directly into memory where they’re less likely to be detected. A similar technique was employed by HackingTeam’s Remote Control System (RCS) where initial infections used their ‘Scout’ malware for initial recon and could then be selectively upgraded to the full ‘Elite’ payload. After years of burned iterations on custom toolkits, it seems NobleBaron has opted for maximizing return on investment by simply lowering their upfront investment.

Notable TTPs include the following:

  • An increasing depth in multi-layer droppers (a concept briefly described by Steve Miller and worth exploring further) particularly with regard to the inevitable CS Beacon payload.
  • The use of large size files to avoid detection by security solutions with hardcoded size limits for ‘efficiency’.
  • A fishing-with-dynamite approach to collecting initial access to victims with low-cost tooling. The SolarWinds supply chain attack is one such example of starting with a wide victim pool and whittling down to high-value targets.

A Curious Poisoned Installer

SHA256
3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4
SHA1
fc781887fd0579044bbf783e6c408eb0eea43485
MD5
66534e53d8751a24a767221fed01268d
Compilation Timestamp
2021-05-18 10:21:20
First Submission
2021-05-18 13:26:14
Size
282KB
Internal Name
KM.FileSystem.dll
File Description
ІІТ Бібліотека роботи з НКІ типу: "файлова система" (Ukrainian)

Most notably, one of these NativeZone downloaders is being used as part of a clever poisoned installer targeting Ukrainian government security applications. A zip file is used to package legitimate components alongside a malicious DLL (KM.Filesystem.dll). The malicious KM.Filesystem.dll was crafted to impersonate a legitimate component of the Ukrainian Institute of Technology’s cryptographic keys of the same name. It even mimics the same two exported functions as the original.

KM.Filesystem.dll exported functions

The package is not an ISO, but it follows a familiar formula. ‘ScanClientUpdate.zip’ relies on a triad of sorts. An LNK is used to kick off the malicious KM.FileSystem.dll component. In turn, KM.FileSystem.dll starts by checking for presence of KM.EkeyAlmaz1C.dll (a benign DLL). This check is presumably meant as an anti-sandbox technique that would keep this downloader from executing unless it’s in the same directory as the other packaged components.

ScanClientUpdate.zip contents

We stop short of referring to this as a supply chain attack since we lack visibility into its means of distribution. The poisoned installer may be delivered directly to relevant victims that rely on this regional solution. Alternatively, the attackers may have found a way of abusing an internal resource to distribute their malicious ‘update’.

LNK starter command to run the malicious DLL

The LNK starter invokes the KMGetInterface export to execute the malware’s functionality. It passes a benign Windows component as an argument (ComputerDefaults.exe). The attackers will use the file’s attributes later on.

Upon execution, the user is presented with a vague ‘Success’ message box.

Note that the heading of the message box is ‘ASKOD’, a reference to the Ukrainian electronic document management system. This initiative is meant to enforce electronic digital signatures through the use of cryptographic keys like the Алмаз-1К (transliterated as ‘Almaz-1K’ or translated to ‘Diamond-1K’) shown below.

Алмаз-1К electronic key description

These particular electronic keys are referenced in Ukrainian government tenders and make for a cunning regional-specific lure to distribute malware.

After displaying the message box, the malicious DLL proceeds to resolve APIs by hash and decrypts its payload directly into memory. You guessed it: Cobalt Strike Beacon v4.

It then decrypts the configuration via single-byte XOR 0x2E and attempts to establish contact with the command-and-control server doggroomingnews[.]com. It checks for ‘/storage/main.woff2’ and if necessary falls back to ‘/storage/page.woff2’. The domain resolves to an IP address in Ukraine (45.135.167.27), which appears to be a compromised domain.

While we have not been able to fetch the response at this time, it’s worth noting that this same IP was also contacted by a Cobalt Strike Beacon sample in late 2020:

5a9c48f49ab8eaf487cf57d45bf755d2e332d60180b80f1f20297b16a61aa984 artifact.exe

These malicious updates are distributed in zip archives. At this time, we’ve discovered two ‘ScanClientUpdate.zip’ samples, both containing the same malicious DLL:

51b47cd3fc139e20c21897a00ac4e3b096380f939633233116514a1f2d9e63d5
ca66b671a75bbee69a4a4d3000b45d5dc7d3891c7ee5891272ccb2c5aed5746c

‘DLL_stageless’ (NativeZone) Variants

NobleBaron developers internally refer to these components under the name ‘DLL_stageless’

DLL_stageless PDB path

The following are variants of DLL_stageless with their respective delivery mechanisms and encrypted command-and-control configuration.

SHA256
2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e
SHA1
6114655cf8ddfd115156a1c450ba01e31887fabb
MD5
77605aa6bd6fb890b9b823bd7a3cc78b
Compilation Timestamp
2021-03-15 18:32:47
First Submission
2021-04-01 14:06:27
Size
299.50KB
ITW Name
MsDiskMountService.dll
Malicious Export
DiskDriveIni
C&C
74d6b7b2.app.giftbox4u[.]com
SHA256
776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b
SHA1
247a32ebee0595605bab77fc6ff619f66740310b
MD5
e55d9f6300fa32458b909fded48ec2c9
Compilation Timestamp
2021-03-22 08:51:41
First Submission
2021-03-22 20:39:52
Size
351.50KB
ITW Name
diassvcs.dll
Malicious Export
InitializeComponent
C&C
content.pcmsar[.]net
SHA256
a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf
SHA1
19a751ff6c5abd8e209f72add9cd35dd8e3af409
MD5
600aceaddb22b9a1d6ae374ba7fc28c5
Compilation Timestamp
2021-02-17 13:18:24
First Submission
2021-02-25 16:33:09
Size
277KB
ITW Name
GraphicalComponent.dll
Malicious Export
VisualServiceComponent
C&C
139.99.167[.]177

Analyzing GraphicalComponent.dll led to the discovery of another DLL_stageless sample. At this time, we have not discovered the delivery mechanism. The name suggests the possibility of a different poisoned installer, with a focus on the Java SRE runtime.

SHA256
c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78
SHA1
95227f426d8c3f51d4b9a044254e67a75b655d6a
MD5
8ece22e6b6e564e3cbfb190bcbd5d3b9
Compilation Timestamp
2020-10-02 07:51:09
First Submission
2020-12-16 14:48:01
Size
277.50KB
ITW Name
Java_SRE_runtime_update.dll
Malicious Export
CheckUpdteFrameJavaCurrentVersion
C&C
hanproud[.]com

The malicious functionality of this sample is launched via the exported function CheckUpdteFrameJavaCurrentVersion. This particular instance of DLL_stageless doesn’t check for a nearby file or specific directory.

References

https://twitter.com/MalwareRE/status/1398394028127932416
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/