Analysis of NOBELIUM (APT29) ISO Drop via HTML Smuggling

By /

Listen to this Post

2025-02-05

Infection Chain:

  1. Attachment.html -> Embedded Javascript -> Victim Visits Page -> ISO drop via Drive by Download -> ISO with LNK & DLL -> LNK Executes mstu.dll -> Rundll32.exe triggers MicrosoftUpdateService -> Execution of mstud.dll -> Cobaltstrike C2.

Indicators of Compromise (IOCs):

  • attachment.html

SHA-1: 00291dca1c76adc170df5fc288f4691ecd7dad5d

  • mstu.dll

SHA-1: bca1177027130c0d6b30a328cff526e882cc8d65

  • dppy_empty.iso

SHA-1: a97830ae802ce39e27d8744be7d24ab3b93e7c79

  • information.txt.lnk

SHA-1: a2a36f3594117556fe041ebb902bcbe72a3c5d10

Practical Commands for Analysis:

1. File Hashing Verification:

Use `sha1sum` to verify file hashes:

sha1sum attachment.html
sha1sum mstu.dll
sha1sum dppy_empty.iso
sha1sum information.txt.lnk

2. Analyzing ISO Files:

Mount the ISO file to inspect its contents:

sudo mount -o loop dppy_empty.iso /mnt/iso
ls -la /mnt/iso

3. Extracting DLL Metadata:

Use `exiftool` to extract metadata from the DLL:

exiftool mstu.dll

4. Monitoring Processes:

Use `ps` and `netstat` to monitor suspicious processes and network connections:

ps aux | grep rundll32
netstat -tuln | grep -E ':(80|443)'

5. Analyzing LNK Files:

Use `lnkinfo` to analyze the LNK file:

lnkinfo information.txt.lnk

6. CobaltStrike C2 Detection:

Use `grep` to search for CobaltStrike-related strings in memory or files:

strings mstud.dll | grep -i 'cobaltstrike'

What Undercode Say:

The NOBELIUM (APT29) attack chain demonstrates the sophistication of modern cyber threats, particularly through HTML smuggling and ISO drops. This technique allows attackers to bypass traditional security measures by embedding malicious payloads in seemingly harmless files. To defend against such attacks, it is crucial to implement robust endpoint detection and response (EDR) solutions, regularly update systems, and educate users about phishing risks.

From a Linux perspective, leveraging command-line tools like sha1sum, exiftool, and `lnkinfo` can help analysts quickly identify and mitigate threats. Monitoring processes with `ps` and `netstat` can reveal suspicious activities, while `strings` can uncover hidden payloads. Additionally, tools like `Volatility` for memory analysis and `Wireshark` for network traffic inspection are invaluable for deeper investigations.

For further reading on APT29 and related threats, refer to:
MITRE ATT&CK Framework
CISA Advisory on NOBELIUM
Malware Analysis Tools

By combining technical expertise with proactive security measures, organizations can better defend against advanced persistent threats like NOBELIUM.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: