NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.[1] |
|
Enterprise | T1480 | Execution Guardrails |
NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components.[1][2] |
|
Enterprise | T1036 | Masquerading |
NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.[2] |
|
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
NativeZone has used rundll32 to execute a malicious DLL.[2] |
Enterprise | T1204 | .002 | User Execution: Malicious File |
NativeZone can display an RTF document to the user to enable execution of Cobalt Strike stage shellcode.[1] |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.[1] |
ID | Name | References |
---|---|---|
G0016 | APT29 |