ATT&CK v16 has been released! Check out the blog post for more information.

EnvyScout

EnvyScout is a dropper that has been used by APT29 since at least 2021.^[1]

ID: S0634

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 02 August 2021

Last Modified: 11 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	EnvyScout can use cmd.exe to execute malicious files on compromised hosts.^[1]
		.007	Command and Scripting Interpreter: JavaScript	EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.^[1]
Enterprise	T1005		Data from Local System	EnvyScout can collect sensitive NTLM material from a compromised host.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	EnvyScout can deobfuscate and write malicious ISO files to disk.^[1]
Enterprise	T1480		Execution Guardrails	EnvyScout can call `window.location.pathname` to ensure that embedded files are being executed from the C: drive, and will terminate if they are not.^[1]
Enterprise	T1187		Forced Authentication	EnvyScout can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure.^[1]
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	EnvyScout can use hidden directories and files to hide malicious executables.^[1]
Enterprise	T1036		Masquerading	EnvyScout has used folder icons for malicious files to lure victims into opening them.^[1]
Enterprise	T1027	.006	Obfuscated Files or Information: HTML Smuggling	EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.^[1]
		.013	Obfuscated Files or Information: Encrypted/Encoded File	EnvyScout can Base64 encode payloads.^[1]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	EnvyScout has been distributed via spearphishing as an email attachment.^[1]
Enterprise	T1218	.011	System Binary Proxy Execution: Rundll32	EnvyScout has the ability to proxy execution of malicious files with Rundll32.^[1]
Enterprise	T1082		System Information Discovery	EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	EnvyScout has been executed through malicious files attached to e-mails.^[1]

Groups That Use This Software

ID	Name	References
G0016	APT29	^[1]

References

MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.