VaporRage

VaporRage, identified and tracked by Microsoft, is a sophisticated malware variant that operates as a shellcode downloader. This malicious software, embedded within the CertPKIProvider.dll file, is part of a unique infection chain used by the cyber threat group NOBELIUM, which also includes other tools such as EnvyScout, BoomBox, and NativeZone. The malware has the capability to execute any compatible shellcode provided by its command and control (C2) server, including a Cobalt Strike stage shellcode. It can download, decode, and execute an arbitrary payload fully in-memory, making it a potent tool for cyberattacks. The malware was first detailed by Microsoft in a blog post on May 28, 2021, where they broke down NOBELIUM's early-stage toolset. VaporRage, as part of this toolset, is seen as the third-stage payload and stands out due to its unique shellcode loading capabilities. This version of VaporRage contains 11 export functions, one of which, eglGetConfigs, houses the malicious functionality of the DLL. Consistent with other tools utilized by NOBELIUM, VaporRage conducts some level of profiling on an affected system’s environment, providing an opportunity for restraint. However, the ambiguity surrounding VaporRage's operations adds to the complexity of dealing with this malware. Its ability to operate covertly, combined with its advanced functionalities, make VaporRage a significant cybersecurity concern. Further research and vigilance are required to mitigate the threats posed by this and similar malware.