The cyber security company Mandiant has discovered that the hacker group Nobelium, which is suspected of having links to the Russian state, has developed its own download program, Ceeloader. Something that was first noticed by Bleeping Computer. Ceeloader is written in C and makes it possible to run shell code payloads directly in memory.
The malware is installed through Cobalt Strike and should be difficult to detect by security software because it mixes its calls to the Windows API with large amounts of junk code. The communication must take place via http while the C2 answers are read with AES-256 in CBC mode.
According to Mandiant, Nobelium’s activities should focus on collecting information that is of political interest to the Russian state. They do this by first infiltrating cloud providers and operating companies and then moving on to different customers’ networks.
Read also: Hundreds of servers in the Tor network are controlled by hackers