Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This threat is a is a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is mainly delivered to targets of NOBELIUM as spear-phishing email attachment. NOBELIUM is the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components.
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
Contact your incident response team and start the incident response process. If you don't have one, contact Microsoft support for investigation and remediation services.
Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
Scope the incident. Find related devices, network addresses, and files in the incident graph.
Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.
An EnvyScout is a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is mainly delivered to targets of NOBELIUM as spear-phishing email attachment. The presence of this file might indicate that the attacker might have already deployed malicious code such as a Cobalt Strike Beacon payload, that the system might already been compromised, and is under attacker control.
Prevention
Guidance for end users
To know more about prevention of supply chain-related attacks and malware in general, refer to the links below:
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
Enable multifactor authentication (MFA) to mitigate compromised credentials.
NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure your accounts.
Block all Office applications from creating child processes
Improve your security posture against supply chain attacks
Software developers and publishers are advised to maintain secure build and update infrastructure and to establish a response process for supply chain attacks. Software updates should always be delivered using SSL connections and signed components.
Conduct an inventory of your software suppliers. Do your due diligence to confirm there are no red flags. The NIST Cyber Supply Chain Best Practices provide sample questions that you can use to screen your software suppliers, such as what malware protection and detection are performed and what access controls—both cyber and physical—are in place.
Microsoft Defender Antivirus raises an alert if it detects this threat on your device. Microsoft Defender Antivirus automatically removes threats as they are detected. It will quarantine the malware even if the process is running. If this threat is detected on your environment, we recommend that you immediately investigate it.
