The NativeZone Malware is a loader threat deployed as part of a new phishing attack attributed to the infamous APT29 hacker group. The same threat actor was behind the supply-chain attack that compromised SolarWinds. APT29 is believed to have ties to Russia and is tracked under several other names including SolarStorm, Nobelium, NC2542, DarhHalo and more.
In its new operation, APT29 managed to breach the Contact account of the United States Agency for International Development (USAID). The hackers then proceeded to use the legitimate marketing account to send over 3000 phishing emails to more than 150 different targets. Among the organization affected by the threatening campaign were government agencies and entities involved with international development as well as humanitarian and human rights work. A report released by Microsoft regarding the phishing attack revealed that APT29 deployed 4 never-before-seen malware strains - an HTML attachment named 'EnvyScout,' a downloader named 'BoomBox,' a loader called 'NativeZone', and a shellcode named 'VaporRage.'
The NativeZone malware is a loader designed to perform a single task - the delivery of the VaporRage payload onto the breached system. NativeZone is dropped onto the system by the previous-stage malware BoomBox. The threat hides as a file named 'NativeCacheSvc.dll.' NativeZone is configured to start automatically whenever a user logs into Windows. Upon being started via rundll32.exe, the threat will proceed to launch the other file dropped by BoomBox named 'CertPKIProvider.dll.' It carries the payload for the VaporRage malware.