Gruppo TIM
Gruppo TIM

NOBELIUM again or eCrime operation?

Telsy Threat Intelligence team identified a phishing campaign that seems to target multiple victims based in the United States, Great Britain, and Europe. The campaign appears to have been active since at least October 2021 and is now still ongoing.

 

Introduction

Analyses consistently highlighted the same tactic – ISO disk image -> LNK link file -> DLL implant -, a tactic also described in two reports earlier this year by Volexity and Microsoft. Some changes can be attributed to the use of the Sliver framework in place of CobaltStrike, rather than the use of the Rust language as a loader of the Sliver implant.

While there is no way to say for sure who is behind this attack and that this infection chain is also used in eCrime campaigns, some attributes are consistent with previous tactics used by APT29 (aka the Dukes, Cozy Bear, Nobelium), which were made known following the release of the advisoryFurther TTPs associated with SVR cyber actors“, published by the UK and US governments.

The document reports the changes to their TTPs that the threat actor made in an attempt to avoid further detection and remediation efforts by network defenders. These changes included the deployment of the open-source tool Sliver.

Sliver is a legitimate tool developed by offensive security assessment firm Bishop Fox. It's described as an adversary simulation and is designed to be an open source alternative to Cobalt Strike. Sliver supports asymmetrically encrypted C2 over DNS, HTTP, HTTPS, and Mutual TLS using per-binary X.509 certificates signed by a per-instance certificate authority and supports multiplayer mode for collaboration.

However, is not surprising, if many espionage actors do use publicly and commercially available frameworks for reasons such as plausible deniability.

This specific campaign spreads the ISO images being mounted much like an external or network drive. From here, a shortcut file (LNK) will execute an accompanying DLL, which would result in Sliver implant executing on the system.

Most likely, the ISOs are disseminated via a download link within a phishing e-mail. In addition, they have no contextual information about the target as is usually the case when a decoy document is displayed.

 

Fill the form below to download the full report

     

    Check other cyber reports on our blog.

    This report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which allows to analyze and stay updated on adversaries and threats that could impact customers’ business.