Ceeloader Malware

The Nobelium APT (Advanced Persistent Threat) group continues to be active on the cyber-espionage landscape. This time the hackers' activities were revealed by infosec researchers. According to the findings, Nobelium is still targeting cloud providers and MSP (Managed Service Providers) as a means to gain initial access to the internal networks of their true targets. The researchers also note that the cybergang is continuing to reveal new custom-made malware threats, this time in the form of a new downloader named Ceeloader.

Custom Malware

The threat is written in C and can execute shellcode payloads in the memory without the need to write them on disc. To communicate with its Command-and-Control (C2, C&C) server, the threat uses HTTP, while the incoming traffic is encrypted with AES-256 in CBC mode. Ceeloader is deployed to the compromised systems via a Cobalt Strike beacon and doesn't establish any persistence mechanism of its own. Its main task is to fetch and deploy the next-stage payloads of the attack.

Evasion Techniques

To make detection that much harder, Ceeloader is obfuscated heavily. The calls it makes to the Windows API are scrambled among large chunks of junk code. Nobelium also employs other evasion methods, such as residential IP addresses as proxies, VPS and VPN before accessing the compromised environment and more. In some instances, researchers were able to identify second-stage payloads injected into breached WordPress servers. In the campaigns, the hackers used legitimate Microsoft Azure-hosted systems apparently, due to the fact that their IP addresses had close proximity to the compromised network.

Nation-Sponsored Group

Nobelium is the name given by Microsoft to the threat actor responsible for the massive SolarWinds supply-chain attack. The same APT group is also tracked as APT29, Cozy Bear and the Dukes. Evidence suggests that the group either has strong ties to Russia or is outright a hacking division of the country's Foreign Intelligence Service.

Nobelium is an advanced hacking group with sizeable resources that has access to multiple custom-made malware threats and tools. Its operations are targeted at US agencies predominantly, with the goal to acquire sensitive information. The latest activities of the group follow this pattern, with the hackers being observed to exfiltrate multiple documents from their victims that are believed to contain information of particular interest to Russia.


Most Viewed