NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Russian cyber-espionage group NOBELIUM has been targeting Iranian embassies since 2021, Kaspersky has revealed in a new analysis of EnvyScout malware files released in October 2021.
REFERENCE:
https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/
TAGS:
INDUSTRIES:
TARGETED COUNTRIES:
MALWARE FAMILY:
APT29
ATT&CK IDS:
T1583.001 - Domains, T1583.003 - Virtual Private Server, T1566.001 - Spearphishing Attachment, T1566.003 - Spearphishing via Service, T1059.001 - PowerShell, T1204.002 - Malicious File, T1207 - Rogue Domain Controller, T1071.001 - Web Protocols
yara rule
apt_nobelium_powsershell_reg_loader_decoded
rule apt_nobelium_powsershell_reg_loader_decoded {
meta:
id = "c8ee9c40-fa28-4b9a-98e8-88ccc4a16091"
description = "Matches the decoded version of the Powershell loader stored in the registry"
version = "1.0"
creation_date = "2021-12-07"
modification_date = "2021-12-07"
classification = "TLP:WHITE"
source="SEKOIA"
strings:
$x = "FromBase64String((gp HKCU:\\\\SOFTWARE\\\\"
$y = "Remove-ItemProperty HKCU:\\\\SOFTWARE\\\\"
$z = "Invoke([IntPtr]::Zero)"
condition:
filesize < 3KB and
$x and #y == 2 and
$z at (filesize-22)
}
Alien vault : https://otx.alienvault.com/pulse/61d85b5006fdef2345a10363
*Beware click the link!