← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
NobleBaron New Poisoned Installers Could Be Used In Supply Chain Attacks
Nobelium is suspected to be the new face of APT29 (aka The Dukes). We track this activity under the name ‘NobleBaron’.
This campaign employs a convoluted multi-stage infection chain, five to six layers deep. Most custom downloaders leverage Cobalt Strike Beacon in-memory as a mechanism to drop more elusive payloads on select victims. This report focuses on NobleBaron’s ‘DLL_stageless’ downloaders (aka NativeZone). SentinelLabs has discovered the use of one of these DLL_stageless downloaders as part of a poisoned update installer for electronic keys used by the Ukrainian government.
MITRE ATT&CK & Malware Families
Indicators of Compromise (24)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 600aceaddb22b9a1d6ae374ba7fc28c5 | MD5 of 19a751ff6c5abd8e209f72add9cd35dd8e3af409 | 2021-06-01 | |
| FileHash-MD5 | 66534e53d8751a24a767221fed01268d | MD5 of fc781887fd0579044bbf783e6c408eb0eea43485 | 2021-06-01 | |
| FileHash-MD5 | 77605aa6bd6fb890b9b823bd7a3cc78b | MD5 of 6114655cf8ddfd115156a1c450ba01e31887fabb | 2021-06-01 | |
| FileHash-MD5 | 8ece22e6b6e564e3cbfb190bcbd5d3b9 | MD5 of 95227f426d8c3f51d4b9a044254e67a75b655d6a | 2021-06-01 | |
| FileHash-MD5 | e55d9f6300fa32458b909fded48ec2c9 | — | 2021-06-01 | |
| FileHash-MD5 | d0ec86f1fdb257db40a7baaae6ad5d4c | MD5 of ca66b671a75bbee69a4a4d3000b45d5dc7d3891c7ee5891272ccb2c5aed5746c | 2021-06-01 | |
| FileHash-SHA256 | 2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e | SHA256 of 6114655cf8ddfd115156a1c450ba01e31887fabb | 2021-06-01 | |
| FileHash-SHA256 | 3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4 | SHA256 of fc781887fd0579044bbf783e6c408eb0eea43485 | 2021-06-01 | |
| FileHash-SHA256 | 51b47cd3fc139e20c21897a00ac4e3b096380f939633233116514a1f2d9e63d5 | — | 2021-06-01 | |
| FileHash-SHA256 | 5a9c48f49ab8eaf487cf57d45bf755d2e332d60180b80f1f20297b16a61aa984 | — | 2021-06-01 | |
| FileHash-SHA256 | 776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b | — | 2021-06-01 | |
| FileHash-SHA256 | a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf | SHA256 of 19a751ff6c5abd8e209f72add9cd35dd8e3af409 | 2021-06-01 | |
| FileHash-SHA256 | c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78 | SHA256 of 95227f426d8c3f51d4b9a044254e67a75b655d6a | 2021-06-01 | |
| FileHash-SHA256 | ca66b671a75bbee69a4a4d3000b45d5dc7d3891c7ee5891272ccb2c5aed5746c | — | 2021-06-01 | |
| FileHash-SHA1 | 19a751ff6c5abd8e209f72add9cd35dd8e3af409 | — | 2021-06-01 | |
| FileHash-SHA1 | 247a32ebee0595605bab77fc6ff619f66740310b | — | 2021-06-01 | |
| FileHash-SHA1 | 6114655cf8ddfd115156a1c450ba01e31887fabb | — | 2021-06-01 | |
| FileHash-SHA1 | 95227f426d8c3f51d4b9a044254e67a75b655d6a | — | 2021-06-01 | |
| FileHash-SHA1 | fc781887fd0579044bbf783e6c408eb0eea43485 | — | 2021-06-01 | |
| FileHash-SHA1 | c9664713467821b2fe228652396045418a72d264 | SHA1 of ca66b671a75bbee69a4a4d3000b45d5dc7d3891c7ee5891272ccb2c5aed5746c | 2021-06-01 | |
| domain | doggroomingnews.com | Registered=07/12/2015 Registrar=NameSilo, LLC NS=ns1.dnsowl.com | 2021-06-01 | |
| domain | hanproud.com | Registered=04/16/2017 Registrar=NameSilo, LLC NS=ns1.dnsowl.com | 2021-06-01 | |
| hostname | 74d6b7b2.app.giftbox4u.com | — | 2021-06-01 | |
| hostname | content.pcmsar.net | — | 2021-06-01 |