Brought into the victim’s machine by CobaltStrike beacons, Ceeloader is used for executing other shellcode payloads directly in the memory. Overall, this new Nobelium is using the new in-house malware for reconnaissance purposes.
Nobelium’s New In-house Malware
Mediocre hacking groups often use available scripts and pre-made tools of others, making it an easy job for them. But, they can also be easily cracked since widely used, and be exposing. Thus, prominent hacking groups like the state-backed ones use custom malware, that is in-house made. Russia’s Nobelium is one among them. Also known as APT29, The Dukes, or the Cozy Bear, this gang is linked to the Russian Foreign Intelligence Service (SVR) and was tagged by Microsoft in two clusters – UNC3004 and UNC2652. It’s also believed that Nobelium is the prime hitter of last year’s SolarWinds attack. Now, the group is found to be using a new custom malware named Ceeloader, as pointed by the security firm Mandiant. In their updated UNC2452 whitepaper, Mandiant said the Ceeloader was written in C and is heavily obfuscated with large blocks of junk code. This is to avoid detection by the security software, as mixing the C2 calls to Windows API with unnecessary code makes it harder for detection. Ceeloader is initially brought into the target’s machine using CobaltStrike beacons and is able to execute shellcode payloads directly in memory. Communicating through HTTP, Ceeloader’s connections to hacker’s C2 are decrypted using AES-256 in CBC mode. Mandiant noted that the Nobelium gang uses residential IP addresses (proxies), TOR, VPS, and VPNs to access the victim’s environment, making it much harder to trace them. Also, they’re found using compromised WordPress sites to host their second-stage payloads, and even legitimate Microsoft Azure-hosted systems for procuring payloads for Ceeloader. All this is done to perform reconnaissance, as stealing confidential data is the main aim of Nobelium.