With the recent Russian state-sponsored actors Nobelium running high profile targeted attacks via espionage tactics, Binary Defense has reviewed the breakdown of the attacks and all of the phases used within the attack chain. These targeted and highly sophisticated and customized attacks were and are being detected by the Binary Defense MDR without any need for updates. Multiple phases of this attack were already detected, and no updates are needed from the MDR platform in order to detect this sophisticated attack. Binary Defense utilizes behavioral based detections and the methods used by this actor would have been identified during multiple phases of the attack chain used to compromise victims.
This one is particularly interesting as it takes advantage of mounting an ISO (image file) to evade detections. In addition, there was no use of PowerShell which we typically see from this threat actor and relied primarily on Living off the Land or native Windows binaries for remote code execution and downloading various pieces of malicious code.
During the initial execution of the payload, NV.lnk which is downloaded to the victims machine would be identified as a Suspicious Executable in Directories with the content of the LNK file sent as an alarm. The contents of the lnk file here:
When executed, the Living off the Land Binary, RunDLL32 is used to run BOOM.exe in an attempt to disguise the malware’s execution. RunDLL32 is commonly used for remote code execution and was notoriously used in the NotPetya mass Ransomware Campaign (using perfc.dat). Binary Defense MDR detects this technique. This would trigger an additional alarm for Suspicious Processes with Network Connections and would be immediately identified upon execution.
Upon successful execution, persistence hooks are placed onto the system to ensure the malicious software can survive a reboot:
This is identified and also alarmed to the security operations center as persistence hooks. A second rundll32.exe is then executed for the additional DLL to download which is also identified as Suspicious Processes with Network Connections:
There are additional post-exploitation detections around Cobalt Strike that are eventually loaded that would also be identified including process injection and a number of other detections through the kill chain.
We wanted to provide a detailed list to our customers on the latest Russian-based state sponsored actors and know that we are always reviewing if there are gaps in detection or ways to continuously improve the ability to detect these types of attacks. In this specific event, Binary Defense MDR continues to have a high level of coverage during all phases of the attack without any need or modifications to the detections. We always remain vigilant and committed to ensuring the protection of our customers and the advancement of ensuring we stay ahead of the attacker landscape.