EnvyScout

EnvyScout is a sophisticated malware used primarily by the threat actor group NOBELIUM, also known as APT29 or Cozy Bear. This malware, tracked by Microsoft and alternatively referred to as Rootsaw, is delivered via spear-phishing emails, often disguised with seemingly harmless attachments such as the NV.html file. Once opened, EnvyScout acts as a malicious dropper, de-obfuscating and writing a harmful ISO file to disk. It contains a payload stored as an encoded blob, which can further infect the target's system. The malware has been seen to drop downloaders like SNOWYAMBER and QUARTERRIG, which deliver additional payloads including the HALFRIG tool. In April, the Polish CERT and Military Counterintelligence Service issued a warning about an APT29 campaign that leveraged EnvyScout to target diplomats associated with NATO and the European Union. Notably, one of the phishing campaigns involved sending emails with the alleged 2023 schedule for the Polish ambassador to the U.S., carrying the EnvyScout malware. When the recipient opens the attached NV.img file (dropped by EnvyScout), it triggers the default behavior on Windows 10 to mount the ISO image at the next available drive letter, leading to system infection. The operation of EnvyScout involves several technical nuances. In some instances, the malware was observed to enumerate the executing browser’s environment, using the user-agent to determine whether a Windows machine received an ISO payload. In other iterations, EnvyScout contained execution guardrails wherein window.location.pathname was called, and its values were leveraged to ensure specific entries in the array of characters returned. The final component of EnvyScout is a short code snippet responsible for decoding the ISO in the Base64 encoded/XOR’d blob, and saving it to disk as NV.img with a mime type of “application/octet-stream”. This illustrates the complexity and adaptability of this malicious software.