APT 29 Initial Access Killchain -MITRE ATT@CK Mapping

Michael Koczwara
3 min readMay 23, 2023
Cozy Bear

APT29/Nobelium Initial Access & ATT@CK Mapping

TA0042: Resource Development

  • T1650: Aquire Infrastructure
  • T1584: Compromised Infrastructure
  • T1587: Develop Capabilities
  • T1587.001: Develop Capabilities: Malware
  • T1588: Obtain Capabilities
  • T1588.002: Obtain Capabilities: Tool

APT29/Nobelium Cobalt Strike C2 setup with custom certificates and redirections (Pay attention to how similar threat actor communitypowersports[.]com domain is to the genuine sanjosemotosport[.]com).

These domain similarities or sometimes typosquatting SSL domains are techniques used frequently by Threat Actors.

APT29/Nobelium Cobalt Strike C2 redirector setup

Here you can see how the mode rewrite redirector works.

Cobalt Strike C2 mode rewrite setup

Initial Access Attack Analysis HTML (EnvyScout) dropper used by Russian APT29/Nobelium in recent campaigns.

EnvyScout uses a technique known as HTML smuggling to deliver an IMG/ISO file to the targeted systems (data block that can be decoded by subtracting 4 in the recent campaign).

After decoding you will find an ISO file inside that contains SnowyAmber that executes via rundll32.exe and communicate to Notion API as a C2.

Initial Access

  • T1566: Phishing
  • T1566.001: Spearphishing Attachment
  • T1566.002: Spearphishing Link
ISO File containing SnowyAmber
Compromised website

Execution

  • T1204: User Execution

--

--