APT29/Nobelium Initial Access & ATT@CK Mapping
TA0042: Resource Development
- T1650: Aquire Infrastructure
- T1584: Compromised Infrastructure
- T1587: Develop Capabilities
- T1587.001: Develop Capabilities: Malware
- T1588: Obtain Capabilities
- T1588.002: Obtain Capabilities: Tool
APT29/Nobelium Cobalt Strike C2 setup with custom certificates and redirections (Pay attention to how similar threat actor communitypowersports[.]com domain is to the genuine sanjosemotosport[.]com).
These domain similarities or sometimes typosquatting SSL domains are techniques used frequently by Threat Actors.
Here you can see how the mode rewrite redirector works.
Initial Access Attack Analysis HTML (EnvyScout) dropper used by Russian APT29/Nobelium in recent campaigns.
EnvyScout uses a technique known as HTML smuggling to deliver an IMG/ISO file to the targeted systems (data block that can be decoded by subtracting 4 in the recent campaign).
After decoding you will find an ISO file inside that contains SnowyAmber that executes via rundll32.exe and communicate to Notion API as a C2.
- T1566: Phishing
- T1566.001: Spearphishing Attachment
- T1566.002: Spearphishing Link
- T1204: User Execution