Russian hacking group uses new stealthy Ceeloader malware

The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom "Ceeloader" malware.

Nobelium is Microsoft's name for the threat actor behind last year's SolarWinds supply-chain attack that led to the compromise of several US federal agencies. This group is believed to be the hacking division of the Russian Foreign Intelligence Service (SVR), commonly known as APT29, The Dukes, or Cozy Bear.

While Nobelium is an advanced hacking group using custom malware and tools, they still leave traces of activity that researchers can use to analyze their attacks.

In a new report from Mandiant, researchers used this activity to uncover tactics, techniques, and procedures (TTP) used by the hacking group, as well as a new custom downloader called "Ceeloader."

Furthermore, the researchers break Nobelium into two distinct clusters of activity attributed to UNC3004 and UNC2652, which could mean that Nobelium is two cooperating hacking groups.

Supply chain attack

Based on the activity seen by Mandiant, the Nobelium actors continue to breach cloud providers and MSPs as a way to gain initial access to their downstream customer's network environment.

"In at least one instance, the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP's environment, which ultimately led to the compromise of internal domain accounts," explained Mandiant.

In at least one other breach, the hacking group used the CRYPTBOT password-stealing malware to steal valid session tokens used to authenticate to the victim's Microsoft 365 environment.

It is noteworthy that Nobelium compromises multiple accounts within a single environment, using each of them for separate functions, thus not risking the entire operation in the case of exposure.

"The threat actors leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands within victim environments." - Mandiant

"The threat actor used the protocols mainly to perform reconnaissance, distribute beacons (Cobalt Strike) around the network, as well as run native Windows commands for credential harvesting."

A new custom "Ceeloader" malware

Nobelium is known for its development and use of custom malware that allows backdoor access to networks, the downloading of further malware, network tracing, NTLM credential theft, and other malicious behavior.

Mandiant has discovered a new custom downloader called "Ceeloader" written in C and supports the execution of shellcode payloads directly in memory.

The malware is heavily obfuscated, and mixes calls to the Windows API with large blocks of junk code to evade detection by security software.

Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode.

The custom Ceeloader downloader is installed and executed by a Cobalt Strike beacon as needed and does not include persistence to allow it to automatically run when Window is started.

Nobelium has used numerous custom malware strains in the past, specifically during the Solarwinds attacks and in a phishing attack against the United States Agency for International Development (USAID).

Multiple hiding tricks

To hamper attempts at tracing the attacks, Nobelium uses residential IP addresses (proxies), TOR, VPS (Virtual Private Services), and VPN (Virtual Private Networks) to access the victim's environment.

In some cases, Mandiant identified compromised WordPress sites used to host second-stage payloads that are fetched and launched into memory by Ceeloader.

Finally, the actors used legitimate Microsoft Azure-hosted systems with IP addresses that had proximity to the victim's network. 

This approach helps blend external activity and internal traffic, making detecting the malicious activity unlikely and the analysis harder.

Nobelium still active

Mandiant warns that the activity of Nobelium is heavily focused on the collection of intelligence, as the researchers saw evidence of the hackers exfiltrating documents that are of political interest to Russia.

Microsoft has previously linked UNC2652 and UNC3004 to UNC2452, the group responsible for the SolarWinds supply chain attack, so it's plausible that they are all under the same "Nobelium" umbrella.

However, Mandiant underlines that there is insufficient evidence to attribute this with high confidence.

What matters for defenders is that hackers are still leveraging third parties and trusted vendors like CSPs to infiltrate valuable target networks, so organizations must remain vigilant, constantly consider new IOCs, and keep their systems up to date.

Mandiant has updated the UNC2452 whitepaper on that front with all new TTPs observed in the 2021 campaigns.