NativeZone

NativeZone is a malware identified as a custom Cobalt Strike Beacon loader. This malicious software was dubbed NativeZone by Microsoft and is typically loaded and executed through rundll32.exe to deliver follow-on payloads. The malware uses DLL files, such as Document.dll and NativeCacheSvc.dll, and has been found in various versions that employ different encoding and encryption methodologies to obfuscate the embedded shellcode. NativeZone's activity has been linked to deploying custom Cobalt Strike loaders, which are tools designed to exploit vulnerabilities and gain unauthorized access to systems. On May 28, 2021, Microsoft published a blog post detailing NOBELIUM’s latest early-stage toolset, which includes NativeZone among other tools like EnvyScout, BoomBox, and VaporRage. These tools were utilized in a unique infection chain to deploy NativeZone. The malware operates by extracting shellcode from an RTF file, decoding it, and then executing it on the victim system. When loaded or executed, the NativeZone DLL first displays the RTF document to the user. The malware has several variants, with some examples found alongside an RTF file. Unlike the first variant, the second variant samples of NativeZone do not contain the encoded or encrypted Cobalt Strike Beacon stage shellcode. However, another sample of NativeZone was observed using AES for decrypting an embedded Cobalt Strike shellcode blob, demonstrating the malware's diverse methods of operation and obfuscation. It's clear that NativeZone represents a significant threat due to its sophisticated use of encryption and its ability to remain undetected while executing harmful payloads.