Russian APT29/Nobelium Used 4 New Malware Families in USAID Phishing Attacks

Russian APT29/Nobelium Used 4 New Malware Families in USAID Phishing Attacks

Microsoft says Russian hackers used four new malware families to impersonate the United States Agency for International Development USAID in the last week’s attacks.

According to the Microsoft Threat Intelligence Center (MSTIC), the Russian group APT29/Nobelium gained access to the USAID’s email platform Constant Contact.

Using its email account, the attackers impersonated USAID and sent phishing emails to over 150 different organizations, government agencies and non-profit organizations.

Microsoft described four new malware families that were used by APT29/Nobelium in the attacks. These include a series of HTML and shellcode downloader and launcher families.


The first one, EnvyScout, is a malicious HTML/JS email attachment that sends a spear-phishing email to steal the credentials of Windows accounts. When opened, the HTML file will try to load an image from the attacker-controlled website, during which the credentials of the logged-in user will be sent by Windows to a remote site giving attackers a chance to brute-force compromise them. The attachment is also used to execute a malicious code that automatically downloads an embedded text blob. Once the code is loaded, the user is asked to double-click the downloaded ISO to open it.


When the Windows logo appears, the user will be prompted to open a shortcut named NV which executes the hidden BOOM.exe, part of the new BoomBox malware family. Florian Roth, a security researcher at F-Secure, discovered another phishing campaign that uses the same malware attachment in emails impersonating the Belgian embassy. Microsoft claims the ‘BoomBox,’ the BOOM.exe file in the ISO image, is used to download two encrypted files to the infected device. After successfully extracting the downloaded files, BoomBox saves them as %AppData%MicrosoftNativeCacheNativeCacheSvc.dll and %AppData%SystemCertificatesCertPKIProvider.dll and executes them. NativeCacheSvc.dll is used to launch the malicious CertPKIProvider.dll file.

“As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person)),” Microsoft explains.

Once the system information has been collected, BoomBox sends the information to a remote server.


NativeZone is the second new type of malware – the NativeCacheSvc.dll file – that can be dropped and configured by BoomBox.


When started using rundll32.exe, the malware will execute CertPKIProvider.dll malware that Microsoft tracks as ‘VaporRage.’ The malware connects back to a remote control server and downloads a shellcode to install.

Shellcodes are a type of malware that can execute various malicious activities and various types of attacks, including the deployment of Cobalt Strike beacons.

APT29/Nobelium, the group responsible for these attacks, is believed to be based in Russia. It is known under other names as well: NC2452, StellarParticle, Dark Halo, and SolarStorm.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.