NativeZone
NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.[2] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.[1] |
|
| Enterprise | T1480 | 执行保护 |
NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components.[1][2] |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
NativeZone can display an RTF document to the user to enable execution of Cobalt Strike stage shellcode.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
NativeZone has used rundll32 to execute a malicious DLL.[2] |
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.[1] |