Solarwinds Cybercrime Gang Used 4 New Malware Strains in USAID Phishing Campaign

Malware research teams at Microsoft are on high alert this month, as it was revealed that a Russian hacking gang used four new malware strains in a recent phishing campaign in which they impersonated the United States Agency for International Development (USAID). Last week the Microsoft Threat Intelligence Center (MSTICreported that the group APT29, also known as Nobelium, had breached USAIDs’ Constant Contact account. With a legitimate account under their control, Nobelium could impersonate USAID flawlessly and engage in a phishing campaign that aimed to deliver malware to targets.

The phishing campaign involved sending emails to over 3,000 email accounts at more than 150 different organizations, including government agencies and organizations devoted to international development, humanitarian, and human rights work.

“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work.” the report said.

Microsoft also identified Nobelium in the report, the group behind last year’s SolarWinds attack.

“Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”

Phishing Email From the USAID Constant Contact Account

Following the initial report, the MSTIC issued an additional report concerning the types of malware payloads involved in the campaign.

The four new malware strains include an HTML attachment named ‘EnvyScout‘, a downloader known as ‘BoomBox,’ a loader known as ‘NativeZone‘, and a shellcode downloader and launcher named ‘VaporRage.’

“The actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone.” the report stated.

Analysis of the 4 Malware Strains

Note: The Malware strains were analysed by the Microsoft Threat Intelligence Center (MSTIC) and BleepingComputer.


NV.html, tracked by Microsoft as EnvyScout, can be best described as a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is chiefly delivered to targets of NOBELIUM by way of an attachment to spear-phishing emails.

Distributed as a file named NV.html, when opened, the HTML file will attempt to load an image from a file:// URL. When doing this, Windows may send the logged-in user’s Windows NTLM credentials to the remote site, which attackers can capture and brute-force to reveal the plain text password.

Microsoft states that the attachment is also used to convert an embedded text blob into a malicious ISO saved as NV.img to the local file system.

NV.html attachment saving the ISO image


BOOM, tracked by Microsoft as “BoomBox”, can be best described as a malicious downloader. The downloader is responsible for downloading and executing the next-stage components of the infection. These components are downloaded from Dropbox (using a hardcoded Dropbox Bearer/Access token).

When executed, BoomBox ensures that a directory named NV is present in its current working directory; otherwise it terminates. If the directory is present, BoomBox displays the contents of the NV directory in a new Windows Explorer window (leaving it up to the user to open the PDF file).

After decrypting the downloaded files, BoomBox will save them as %AppData% MicrosoftNativeCacheNativeCacheSvc.dll  and %AppData%SystemCertificatesCertPKIProvider.dll, and execute them using rundll32.exe.

NativeCacheSvc.dll is configured to launch automatically when a user logs into Windows and is used to launch CertPKIProvider.dll.

As a final stage, the BoomBox malware will gather information about the Windows domain, encrypts the collected data, and then sends it to a remote server under the attacker’s control.

“As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person)),” Microsoft explains.


NativeCacheSvc.dll, tracked by Microsoft as “NativeZone” can best be described as a malicious loader responsible for utilizing rundll32.exe to load the malicious downloader component CertPKIProvider.dll.

The malicious functionality of NativeCacheSvc.dll is located inside a DLL export named configNativeCache.

As shown above, the export function executes rundll32.exe to load %AppData%\SystemCertificates\Lib\CertPKIProvider.dll by calling its export function named eglGetConfigs.


CertPKIProvider.dll, tracked by Microsoft as “VaporRage” can best be described as a shellcode downloader. This version of VaporRage contains 11 export functions including eglGetConfigs, which houses the malicious functionality of the DLL.

When launched, the malware will connect back to a remote command and control server, where it will register itself with the attackers and then repeatedly connect back to the remote site for a shellcode to download.

When shellcodes are downloaded, the malware will execute them to perform various malicious activities, including the deployment of Cobalt Strike beacons.


With regards to protection against Phishing attacks, here at SaferNet we often recommend that businesses and families educate their members on how to spot fraudulent emails. These 4 new Malware strains highlight a different scenario however – The email comes from a trusted account, which makes it much more difficult to discern. In times like these, it is important to have a tool that can tell the difference for you, like SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *