The Russian-based Nobelium hacking group has been reported to use a new custom malware called ‘Ceeloader’ to breach the government and enterprises worldwide, targeting the victims’ cloud and managed service providers (MSP).
Microsoft named the threat group Nobelium after attacking SolarWinds’ supply chain that compromised many US federal agencies. The group is also allegedly a hacking division of the Russian Foreign Intelligence Service (SVR) or APT29, Cozy Bear, and The Dukes.
Security experts were able to analyse the tracks left by Nobelium despite them being an advanced threat group that uses custom malware and tools.
The experts used the threat group’s traces to discover their tactics, techniques, and procedures (TTP), especially with the new custom malware Ceeloader. Upon the analysis, the experts found that Nobelium is divided into two cooperating hacking groups called UNC3004 and UNC2652.
In gaining initial access to the threat group’s downstream customer network environment, Nobelium continues to breach their cloud providers and MSPs. The experts explained that the threat group identifies and then compromises a local VPN (Virtual Private Networks) account to investigate and further access the victim’s internal resources within their CSP environment. This process will lead them to compromise the victims’ internal domain accounts.
Nobelium also once used a CRYPTBOT password-stealing malware to steal valid session tokens in authenticating towards the victims’ MS 365 environment. This activity could mean that the threat group can compromise several accounts inside a single environment and use them for separate functions to avoid risking the entire operation.
The Nobelium threat groups are notorious for developing and using custom malware to access any network and download other malware. They can also do network tracing, NTLM credential theft, and other malicious activities.
The threat group developed the Ceeloader new custom downloader, written in C language, to directly support the shellcode payload execution in memory. Ceeloader is a heavily complicated malware that mixes calls to the Windows API with large junk code blocks to sidestep detection of security experts and tools.
Security experts warn all potential targets of Nobelium that the threat group is still active. According to the evidence found by analysts, they are exfiltrating documents for Russia’s political interest by collecting intelligence resources during attacks.
