Threat analysis study: Nobelium

Posted date 08/09/2022
Author
INCIBE (INCIBE)
Threat analysis study

We add a new study to our collection analysing malware threats and campaigns affecting Spain. In this case, the identified techniques, tactics, and procedures (TTP), have many similarities with  previous campaigns carried out by the Microsoft denomination for a group of attackers who, according to the allocation given by the Cybersecurity and Infrastructure Security Agency (CISA) of the United States, belong to the Russian Foreign Intelligence Service (SVR). This group is mainly known for the attack on the SolarWinds supply chain which came out in 2020 and for a phishing campaign in 2021, in which they passed themselves off as a US development organization.

Through a static and dynamic analysis of a sample of this malware in a controlled environment, the study gathered information which will help to find out the details of the tools and techniques used, as well as its functioning, with the aim to provide the mechanisms necessary to identify and respond to the threat.

Starting from its propagation via an email, the entire execution flow of the infection and its analysis, including the methods of obfuscation and persistence in the system, are traced.

The study also included a comparison between the different malicious campaigns of the Nobelium group, where similarities and differences in the analysed code are reviewed along with other samples from previous campaigns, based on publicly available information.

Finally, you will also find the indicators of compromise (IOC) associated with Nobelium and the Yara rules for detecting malicious samples of this malware.

The full study can be downloaded below: