Malware
109

NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies






  14-Jan-2022 02:32:25



NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies

Russian cyber-espionage group NOBELIUM has been targeting Iranian embassies since 2021, Kaspersky has revealed in a new analysis of EnvyScout malware files released in October 2021.

REFERENCE:
https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/
TARGETED COUNTRIES:
MALWARE FAMILY:
APT29
ATT&CK IDS:
T1583.001 - Domains, T1583.003 - Virtual Private Server, T1566.001 - Spearphishing Attachment, T1566.003 - Spearphishing via Service, T1059.001 - PowerShell, T1204.002 - Malicious File, T1207 - Rogue Domain Controller, T1071.001 - Web Protocols

yara rule

apt_nobelium_powsershell_reg_loader_decoded

rule apt_nobelium_powsershell_reg_loader_decoded {
meta:
id = "c8ee9c40-fa28-4b9a-98e8-88ccc4a16091"
description = "Matches the decoded version of the Powershell loader stored in the registry"
version = "1.0"
creation_date = "2021-12-07"
modification_date = "2021-12-07"
classification = "TLP:WHITE"
source="SEKOIA"
strings:
$x = "FromBase64String((gp HKCU:\\\\SOFTWARE\\\\"
$y = "Remove-ItemProperty HKCU:\\\\SOFTWARE\\\\"
$z = "Invoke([IntPtr]::Zero)"
condition:
filesize < 3KB and
$x and #y == 2 and
$z at (filesize-22)

}

Alien vault : https://otx.alienvault.com/pulse/61d85b5006fdef2345a10363


DISCUSSION
Nothing comment here :(
Login for comment and discussion.
Login Here
Popular Posts
Gps Tracker Seccodeid Free Too...
Djie sam soe Djie sam soe
General
5058
156
Top

Complete Basic Course in Kali...
Djie sam soe Djie sam soe
Linux
4369
2
Top

Free Proxy List
Sandidi Sandidi
Networking
2772
3
Top

Mass Reverse IP Unlimited
ImamSy ImamSy
Hacking
2059
10
Top

Report McAfee Antivirus Hurrri...
Indrasp Indrasp
Windows
1558
93
Top

Related Post

Subscribe

Subscribe free now for latest posts