NativeZone
NativeZone is the name given collectively to disposable customCobalt Strike loaders used byAPT29 since at least 2021.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | NativeZone can decrypt and decode embeddedCobalt Strike beacon stage shellcode.[1] | |
| Enterprise | T1480 | Execution Guardrails | NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components.[1][2] | |
| Enterprise | T1036 | Masquerading | NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.[2] | |
| Enterprise | T1218 | .011 | System Binary Proxy Execution:Rundll32 | NativeZone has used rundll32 to execute a malicious DLL.[2] |
| Enterprise | T1204 | .002 | User Execution:Malicious File | NativeZone can display an RTF document to the user to enable execution ofCobalt Strike stage shellcode.[1] |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion:System Checks | NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.[1] |