Remove VaporRage Malware

tonnerre malware

Nobelium, or APT29, is a cybercrime organization believed to operate from Russia. They gained popularity in the beginning of 2021 because of their attack against the SolarWinds software vendor. For this campaign, the criminals managed to execute a complicated supply-chain attack, which went on unnoticed for months. Just a few months after the SolarWinds attack was discovered and neutralized, the Nobelium hackers are back with four malware families, which are being delivered to their victims through phishing emails. Surprisingly, the criminals have managed to compromise email addresses owned by the U.S. Agency for International Development – this makes the attack much more dangerous since victims are likely to think the emails are legitimate.

Once the phishing email is delivered, the recipient is urged to download a malicious email attachment, which starts a multi-stage attack that involves multiple malware families. The first payload is EnvyScout, followed by BoomBox and NativeZone, and ending with the VaporRage implant.

The VaporRage Malware is the last piece of the puzzle, and it is designed to stay hidden on the compromised machine and regularly connect to a remote control server to exchange information and code to execute. Instead of relying on remote command execution, the Nobelium hackers have opted to deploy pre-made shellcode that the VaporRage malware then executes. In addition to this, VaporRage sometimes dropped a copy of the Cobalt Strike beacon to grant the criminals more control over the compromised system.

Unfortunately, it looks like the recent attack of the Nobelium hackers is still ongoing, and it might expand its reach even more in the next few weeks. Users and companies can stay safe by relying on anti-malware software and following the latest safe Web browsing practices.

June 1, 2021

Leave a Reply