Hackers are using this new malware that hides between blocks of junk code

Cybersecurity researchers warn that a group with strong links to the Russian state is using new malware as part of its attacks.
Written by Danny Palmer, Senior Writer

A Russian government-backed hacking group linked to the SolarWinds supply chain attack has developed new malware that has been used to conduct attacks against businesses and governments in North America and Europe in a campaign designed to secretly compromise networks, steal information, and lay down foundations for future attacks. 

The attacks also involve the compromise of multiple cloud and managed service providers as part of a campaign designed to enable the hackers to gain access to clients downstream from the vendors in supply chain attacks

The wide-ranging campaign has been detailed by cybersecurity researchers at Mandiant who've linked it to two hacking groups they refer to as UNC3004 and UNC2652.

SEE: A winning strategy for cybersecurity (ZDNet special report) 

Mandiant associates these groups with UNC2452, also known as Nobelium in reports by Microsoft, which is a hacking operation that works on behalf of the Russian Foreign Intelligence Service and was behind the cyberattack against SolarWinds.

However, while each of these hacking operations works out of Russia and appears to share similar goals, researchers can't say for certain that they're all part of one unit. 

"While it is plausible that they are the same group, currently, Mandiant does not have enough evidence to make this determination with high confidence," said the report. 

The newly detailed campaigns include the use of a custom-developed malware downloader, which researchers have called Ceeloader. 

Written in the C programming language, the malware decrypts shellcode payloads to be executed in the memory of the victim's Windows machine, enabling the distribution of further malware. Ceeloader hides from detection with the use of large blocks of junk code that makes the malicious code undetectable to antivirus software.  

"An obfuscation tool has been used to hide the code in Ceeloader in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling," the report said.

It isn't clear how Ceeloader is distributed, but it provides a stealthy gateway for further malicious activity. 

Other tactics that the attackers use include the abuse of the legitimate penetration testing tool Cobalt Strike to place a backdoor on the compromised system, which can be used to execute commands and transfer files, as well as providing a keylogger that can be used to steal usernames and passwords. 

In addition to the deployment of malware, the attackers have compromised targets via cloud services. 

Like other Russia-linked hacking campaigns, these attacks also target remote desktop protocol (RDP) log-in credentials

But no matter how the network was compromised, the organisations under attack appear to align with those targeted in previous campaigns attributed to the Russian state. 

"We have seen this threat actor ultimately target government entities, consulting organisations, and NGOs in North America and Europe who directly have data of interest to the Russian government. In some cases, they first compromised technology solutions, services, and reseller companies in North America and Europe that have access to targets that are of ultimate interest to them," Douglas Bienstock, manager of consulting at Mandiant, told ZDNet.  

For the attackers, targeting cloud service providers via the new and existing methods of compromise detailed by the report remains one of the key methods of compromising a wide range of organisations. By compromising the supplier, they have the potential to gain access to the systems of customers.

SEE: Hackers are turning to this simple technique to install their malware on PCs

Incidents like the SolarWinds supply chain attack attributed to the Russian state, plus cyber-criminal activities like the Kaseya supply chain compromise and ransomware attack, have demonstrated what a powerful tool malware can be for hostile cyber campaigns – which is why cloud providers and their services remain a prominent target. 

"By compromising the environment of a single cloud service provider, the threat actor may be able to access the networks of multiple organisations they are interested in that are customers of that provider. In this way, the threat actor can focus their efforts on a small number of organisations and then reap large rewards," said Bienstock. 

Mandiant researchers say they're aware of a few dozen organisations who've been impacted by campaigns in 2021 and, in cases where they've been compromised by any attackers, steps have been taken to notify them. 

It's expected that the Russia-linked hackers – and other offensive cyber operations – will continue to target organisations, supply chains, and cloud providers around the world. Mandiant has previously released advice on hardening networks against attacks, which includes enforcing multi-factor authentication across all users. 


Editorial standards