Skip to content

S0637 NativeZone

NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.12

Item Value
ID S0637
Associated Names
Type MALWARE
Version 1.0
Created 04 August 2021
Last Modified 16 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.1
enterprise T1480 Execution Guardrails NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware’s components.12
enterprise T1036 Masquerading NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 NativeZone has used rundll32 to execute a malicious DLL.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File NativeZone can display an RTF document to the user to enable execution of Cobalt Strike stage shellcode.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.1

Groups That Use This Software

ID Name References
G0016 APT29 2

References

  1. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  2. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.