Malware
164

NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies






  14-Jan-2022 02:32:25



NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies

Russian cyber-espionage group NOBELIUM has been targeting Iranian embassies since 2021, Kaspersky has revealed in a new analysis of EnvyScout malware files released in October 2021.

REFERENCE:
https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/
TARGETED COUNTRIES:
MALWARE FAMILY:
APT29
ATT&CK IDS:
T1583.001 - Domains, T1583.003 - Virtual Private Server, T1566.001 - Spearphishing Attachment, T1566.003 - Spearphishing via Service, T1059.001 - PowerShell, T1204.002 - Malicious File, T1207 - Rogue Domain Controller, T1071.001 - Web Protocols

yara rule

apt_nobelium_powsershell_reg_loader_decoded

rule apt_nobelium_powsershell_reg_loader_decoded {
meta:
id = "c8ee9c40-fa28-4b9a-98e8-88ccc4a16091"
description = "Matches the decoded version of the Powershell loader stored in the registry"
version = "1.0"
creation_date = "2021-12-07"
modification_date = "2021-12-07"
classification = "TLP:WHITE"
source="SEKOIA"
strings:
$x = "FromBase64String((gp HKCU:\\\\SOFTWARE\\\\"
$y = "Remove-ItemProperty HKCU:\\\\SOFTWARE\\\\"
$z = "Invoke([IntPtr]::Zero)"
condition:
filesize < 3KB and
$x and #y == 2 and
$z at (filesize-22)

}

Alien vault : https://otx.alienvault.com/pulse/61d85b5006fdef2345a10363


DISCUSSION
Nothing comment here :(
Login for comment and discussion.
Login Here
Sponsored

Oppss... No sponsors yet

Popular Posts
Complete Basic Course in Kali...
Djie sam soe Djie sam soe
Linux
9817
2
Top

Gps Tracker Seccodeid Free Too...
Djie sam soe Djie sam soe
General
6127
167
Top

Free Proxy List
Sandidi Sandidi
Networking
3047
3
Top

Mass Reverse IP Unlimited
ImamWawe ImamWawe
Tools Hacking
2330
11
Top

Report McAfee Antivirus Hurrri...
Indrasp Indrasp
Windows
1682
93
Top

Related Post

Youtube Video

Subscribe