VaporRage Malware Description
The VaporRage Malware is a threat deployed as part of a new phishing campaign attributed to the APT29 hacker group, the same hackers who carried out the supply-chain attack against SolarWinds. APT29 is also tracked under several other designations such as Nobelium, SolarStorm, DarkHalo, NC2452 and more. Infosec researchers believe that the threat actors are backed by Russia.
In their latest operations, APT29 managed to breach the Contact account of the United States Agency for International Development (USAID). Afterwar, the hackers used the legitimate marketing account to impersonate USAID and send over 3000 phishing emails to more than 150 targets. The selected targets included organizations and government agencies involved in international development, humanitarian and human rights work.
VaporRage is one of the four threatening tools that APT29 deployed in the USAID phishing attack with the other 3 being an HTML attachment named 'EnvyScout,' a downloader named 'BoomBox,' and a loader called 'NativeZone.' Before VaporRage is activated, two other malware threats must be invoked.
First, BoomBox must deliver the VaporRage payload in the guise of a file named 'CertPKIProvider.dll.' Then, the NativeZone malware must load and execute the file. The main task of VaporRage is to establish a connection with the Command-and-Control server of the operation, register itself, and then regularly reach out to the remote site to fetch a provided shellcode. VaporRage can be instructed to download and execute specific shellcodes depending on the intentions of the hackers including Trojans and Cobalt Strike beacons.