SolarWinds Hackers Spread NativeZone Backdoor

Microsoft said the Russian hacker group behind the SolarWinds attack has attacked the US Agency for International Development. Hackers used the NativeZone backdoor and four new malware families in the campaign.

The researchers attribute the discovered attacks to the Russian-speaking hack group APT29 (aka Cozy Bear, Dukes, Nobelium), which, according to experts, operates under the auspices of the Russian authorities.

Researchers report that hackers compromised AMP’s Contact Contact account and then used that account to impersonate agency representatives in phishing emails that appeared to be authentic.

SolarWinds and the NativeZone backdoor
Example of a malicious email

In total, the attackers sent such messages to approximately 3,000 accounts in more than 150 different organizations, including government agencies and organizations involved in international development, humanitarian and human rights activities. The last wave of these attacks began on January 28, 2021, and intensified markedly on May 25.

Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts. write Microsoft specialists.

Sometimes phishing emails contained a link that, when clicked, delivered the malicious ICA-declass.iso file, which was used to deploy the Cobalt Strike beacon dubbed NativeZone (Documents.dll). This backdoor can be used for permanent system access, lateral movement, data extraction and additional malware installation.

If the victim’s base operating system was iOS, it was redirected to another remote server with an exploit for the zero-day vulnerability CVE-2021-1879. However, Apple addressed this flaw at the end of March, admitting that the problem could have been exploited by hackers.

SolarWinds and the NativeZone backdoor

Microsoft also released details on four new malware families used by Nobelium in these attacks: an HTML attachment called EnvyScout, a BoomBox downloader, a NativeZone backdoor downloader, and a VaporRage tool designed to download and run shellcode.

Let me remind you that we wrote that Chinese hackers also took part in attacks on SolarWinds clients, as well as that SolarWinds Attack Gives Hackers Access to Trump Administration Officials Accounts.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button