The malware can evade security protections, however, by mixing calls to the Windows API with large blocks of useless code, researchers said. The malware, which is heavily obfuscated, is written in C and can execute shellcode payloads directly in memory, they wrote.Ī Cobalt Strike beacon installs and executes Ceeloader, which itself does not have persistence and so can’t run automatically when Windows is started. They also have new malware in their arsenal: a new, bespoke downloader that researchers have called Ceeloader. Novel Malware and ActivityĪttackers have added a number of novel tactics, techniques and procedures (TTPs) to bypass security restrictions within environments, including the extraction of virtual machines to determine internal routing configurations, researchers wrote. However, researchers believe the threat actors acquired the credentials from an info-stealer malware campaign of a third party rather than one of their own, they said. In the latest clusters observed by Mandiant, stolen credentials also facilitated initial access to the targeted organizations. Nobelium also engaged in credential theft in April using a backdoor called FoggyWeb to attack ActiveDirectory servers, Microsoft revealed in September. The ultimate goal of this campaign seemed to be to reach downstream customer networks, researchers said at the time. Indeed, resellers were the target of a campaign by Nobelium that Microsoft revealed in October, in which the group was seen using credential-stuffing and phishing, as well as API abuse and token theft, to gather legitimate account credentials and privileged access to reseller networks. Weigh in with our exclusive, anonymous Threatpost Poll! We want to know what your biggest cloud security concerns and challenges are, and how your company is dealing with them. Mandiant has tracked the latest activity as UNC3004 and UNC2652 since last year and throughout 2021, observing the compromise of a range of companies that provide technology solutions, cloud and other services as well as resellers, they said. Researchers from Mandiant have identified two distinct clusters of activity that can be “plausibly” attributed to the threat group, which they track as UNC2452, they said in a report published Monday. Researchers said they’ve seen the threat group – which Microsoft refers to as “Nobelium” and which is linked to Russia’s spy agency – compromising global business and government targets with novel tactics and custom malware, stealing data and moving laterally across networks. One year after the notorious and far-reaching SolarWinds supply-chain attacks, its orchestrators are on the offensive again.