<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

SolarWind Attackers Launch New Wave Of Phishing Attacks

A new wave of NOBELIUM attacks has been reported by Microsoft. NOBELIUM is the same threat actor Microsoft attributed the SolarWinds attack to, a Russian based group attacking mostly US-based government and corporate networks. According to the report, the latest attacks came in the form of phishing emails disguised as official mail from the USAID government agency.
The hack begins when a user clicks on an LNK file attached to the phishing email. Upon execution it spawns a process, using either the default windows binary rundll32.exe or cmd.exe to load the actual malware into memory. After this chain of events, the malware drops and executes a malicious loader, dubbed NativeZone by Microsoft, that is responsible for executing shellcode it receives either from an embedded buffer or a remote server via HTTP. The content of the shellcode is reported to be a Cobalt Strike beacon.

Before executing the shellcode, this pernicious backdoor queried for the existence of various VBox and VMware artifacts on the machine. This is a common method used by malware to thwart analysis attempts. It is not the first time NOBELIUM used these types of evasion techniques. The SolarWind backdoor has reportedly queried periodically for analysis tools by process name and would not connect back to its C&C server upon finding such a process. The artifacts queried by NativeZone are shown in Figure 1, taken from Microsoft’s blog.

Figure 1

Loader checks if the victim system is VMware

Stopping malware based on evasive behavior is exactly what Minerva does. By simulating a hostile environment we use the malware code against itself, causing it to self-destruct. That is exactly what happened to the NativeZone backdoor when executed against our product:

Minerva Labs Blocks the Nobelium ransomware



For a full demo of Minerva Lab's anti-ransomware platform, contact us using the form below.


Interested in Minerva? Request a Demo Below

Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.


see all