Remove NativeZone Malware

The NativeZone Malware is part of the hacking toolkit of the Nobelium APT, a cybercrime organization best known for its attack against the SolarWinds software vendor. Recently, their name made the news yet again, but this time because of a new campaign targeting organizations involved in humanitarian and international development sectors. To carry out their attack, they have introduced four new malware families, one of which is the NativeZone Malware. It is usually dropped after the BoomBox and EnvyScout implants.

But what is the purpose of NativeZone Malware? It is a basic Trojan Loader, which uses DLL hijacking to plant malicious code inside legitimate files that Windows tries to loads. One of the DLL files that NativeZone Malware uses is CertPKIProvider.dll. The NativeZone Malware is not run just once – the BoomBox implant grants it persistence so that it runs every time Windows starts.

So far, the NativeZone Malware has been used exclusively to download the fourth implant that the Nobelium hackers use – VaporRage. It enables attackers to download and run shellcode on compromised systems, which gives them pretty much full reign over the compromised computer. On some of the compromised systems, VaporRage was spotted dropping the Cobalt Strike beacon.

June 1, 2021