← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
NobleBaron New Poisoned Installers Could Be Used In Supply Chain Attacks
WHITE APT29 AlienVault 2021-06-01 Modified: 2021-07-01
24
IOCs
MEDIUM VOLUME
Nobelium is suspected to be the new face of APT29 (aka The Dukes). We track this activity under the name ‘NobleBaron’. This campaign employs a convoluted multi-stage infection chain, five to six layers deep. Most custom downloaders leverage Cobalt Strike Beacon in-memory as a mechanism to drop more elusive payloads on select victims. This report focuses on NobleBaron’s ‘DLL_stageless’ downloaders (aka NativeZone). SentinelLabs has discovered the use of one of these DLL_stageless downloaders as part of a poisoned update installer for electronic keys used by the Ukrainian government.
cobalt strikeapt29dllstagelessnoblebaroncozybear
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Cobalt Strike
Indicators of Compromise (2 / 24 total)
All FileHash-MD5 FileHash-SHA256 FileHash-SHA1 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
hostname 74d6b7b2.app.giftbox4u.com 2021-06-01
hostname content.pcmsar.net 2021-06-01
References (1)
↗ https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/