Dec 7, 2021
0 0

Russian hacking group uses new stealthy Ceeloader malware

Written by

Microsoft offers 50% subscription discounts to Office pirates
Russian hacking group uses new stealthy Ceeloader malware
France warns of Nobelium cyberspies attacking French orgs
Microsoft seizes sites used by APT15 Chinese state hackers
Microsoft seizes sites used by APT15 Chinese state hackers
Eurostar tests facial recognition system on London train station
France warns of Nobelium cyberspies attacking French orgs
Hundreds of SPAR stores shut down, switch to cash after cyberattack
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Russian bear
The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom “Ceeloader” malware.
Nobelium is Microsoft’s name for the threat actor behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies. This group is believed to be the hacking division of the Russian Foreign Intelligence Service (SVR), commonly known as APT29, The Dukes, or Cozy Bear.
While Nobelium is an advanced hacking group using custom malware and tools, they still leave traces of activity that researchers can use to analyze their attacks.
In a new report from Mandiant, researchers used this activity to uncover tactics, techniques, and procedures (TTP) used by the hacking group, as well as a new custom downloader called “Ceeloader.”
Furthermore, the researchers break Nobelium into two distinct clusters of activity attributed to UNC3004 and UNC2652, which could mean that Nobelium is two cooperating hacking groups.
Based on the activity seen by Mandiant, the Nobelium actors continue to breach cloud providers and MSPs as a way to gain initial access to their downstream customer’s network environment.
“In at least one instance, the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP’s environment, which ultimately led to the compromise of internal domain accounts,” explained Mandiant.
In at least one other breach, the hacking group used the CRYPTBOT password-stealing malware to steal valid session tokens used to authenticate to the victim’s Microsoft 365 environment.
It is noteworthy that Nobelium compromises multiple accounts within a single environment, using each of them for separate functions, thus not risking the entire operation in the case of exposure.
“The threat actors leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands within victim environments.” – Mandiant
“The threat actor used the protocols mainly to perform reconnaissance, distribute beacons (Cobalt Strike) around the network, as well as run native Windows commands for credential harvesting.”
Nobelium is known for its development and use of custom malware that allows backdoor access to networks, the downloading of further malware, network tracing, NTLM credential theft, and other malicious behavior.
Mandiant has discovered a new custom downloader called “Ceeloader” written in C and supports the execution of shellcode payloads directly in memory.
The malware is heavily obfuscated, and mixes calls to the Windows API with large blocks of junk code to evade detection by security software.
Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode.
The custom Ceeloader downloader is installed and executed by a Cobalt Strike beacon as needed and does not include persistence to allow it to automatically run when Window is started.
Nobelium has used numerous custom malware strains in the past, specifically during the Solarwinds attacks and in a phishing attack against the United States Agency for International Development (USAID).
To hamper attempts at tracing the attacks, Nobelium uses residential IP addresses (proxies), TOR, VPS (Virtual Private Services), and VPN (Virtual Private Networks) to access the victim’s environment.
In some cases, Mandiant identified compromised WordPress sites used to host second-stage payloads that are fetched and launched into memory by Ceeloader.
Finally, the actors used legitimate Microsoft Azure-hosted systems with IP addresses that had proximity to the victim’s network. 
This approach helps blend external activity and internal traffic, making detecting the malicious activity unlikely and the analysis harder.
Mandiant warns that the activity of Nobelium is heavily focused on the collection of intelligence, as the researchers saw evidence of the hackers exfiltrating documents that are of political interest to Russia.
Microsoft has previously linked UNC2652 and UNC3004 to UNC2452, the group responsible for the SolarWinds supply chain attack, so it’s plausible that they are all under the same “Nobelium” umbrella.
However, Mandiant underlines that there is insufficient evidence to attribute this with high confidence.
What matters for defenders is that hackers are still leveraging third parties and trusted vendors like CSPs to infiltrate valuable target networks, so organizations must remain vigilant, constantly consider new IOCs, and keep their systems up to date.
Mandiant has updated the UNC2452 whitepaper on that front with all new TTPs observed in the 2021 campaigns.
Microsoft: Russian SVR hacked at least 14 IT supply chain firms since May
France warns of Nobelium cyberspies attacking French orgs
RedCurl corporate espionage hackers resume attacks with updated tools
Microsoft: Russian state hackers behind 53% of attacks on US govt agencies
Hackers use in-house Zoho ServiceDesk exploit to drop webshells
Not a member yet? Register Now
Microsoft reverses Windows 11’s annoying default browser setting changes
Convincing Microsoft phishing uses fake Office 365 spam alerts
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.