Threat analysis study: Nobelium
This study briefly describes the origin, background and historical evolution of the Nobelium group, through the analysis of a malicious sample, with the aim of providing the necessary information to identify the characteristics of this threat, its behaviour and the techniques used, thus enabling a better identification and response to it.
The detailed technical report was created following a methodology which includes static as well as dynamic analysis of the sample within a controlled environment. By means of tools such as PeStudio, Dnspy and PE-Bear for executables or text editors, such as SublimeText for scripting files; or VirtualBox, InetSim, PolarProxy, Wireshak, IDA Pro and ProcessHacker, it has been possible to observe its impact on a computer, and extract its configuration and most characteristic memory strings, once it was running..
The indicators of compromise (IOC) associated with Nobelium and the Yara rules for detecting malicious samples of this malware are also included.