NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.[1][2]

ID: S0637
Platforms: Windows
Version: 1.0
Created: 04 August 2021
Last Modified: 16 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.[1]

Enterprise T1480 Execution Guardrails

NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components.[1][2]

Enterprise T1036 Masquerading

NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.[2]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

NativeZone has used rundll32 to execute a malicious DLL.[2]

Enterprise T1204 .002 User Execution: Malicious File

NativeZone can display an RTF document to the user to enable execution of Cobalt Strike stage shellcode.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.[1]

Groups That Use This Software

ID Name References
G0016 APT29