NOBELIUM Uses Poland’s Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine

MITRE Techniques

• [T1584.006] Compromising legitimate web servers to spread downloaders – The campaign uses a weaponized HTML dropper hosted on compromised legitimate websites to deliver payloads. “The weaponized URLs shown above are hosted on a legitimate online library website based in El Salvador in Central America. We believe that the threat actor compromised this website sometime between the end of January 2023 and the beginning of February 2023.”
• [T1566.002] Spear-phishing email with link to malicious website – The infection vector is a targeted phishing email containing a weaponized document, with a link to HTML download. “The infection vector for this particular campaign is a targeted phishing email containing a weaponized document. The malicious document includes a link leading to the download of an HTML file.”
• [T1204.002] Malicious .lnk files inside of weaponized ISO images – The weaponized ISO drops two files, including .lnk, executed via rundll32.exe. “The weaponized URLs shown above… and the two files, with the same hash for both: BugSplatRc64.dll and .lnk.”
• [T1547.001] Execution through Autorun – Persistence through a Run key in the registry, enabling startup execution. “To remain persistent on the infected system, a new registry key is created under: ‘HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunDsDiBacks’ … ‘C:WindowsSystem32rundll32.exe “C:UsersAppDataLocalDsDiBacksBugSplatRc64.dll,InitiateDs”‘.”
• [T1027.006] Malicious HTML obfuscation – HTML content contains a data block that is decoded (by subtracting 4) to reveal an ISO. “The HTML file delivered in this campaign contains a data block that can be decoded by subtracting 4.”
• [T1102.002] Communicating via Notion API – C2 communications occur over the Notion API, disguising traffic as legitimate Notion usage. “The packed malware utilizes api.notion.com for its C2 communication. Notion is a commonly used note-taking application.”