EnvyScout (derived from the filename NV.html, aka Envy Scout, NV.html, NV, EnvyScout) is a dropper-style malware that writes a malicious ISO to disk. The malware is known to be used by the adversary known as Dark Halo (aka Nobellium, UNC2452) and came to attention during a major phishing campaign carried out in early 2021.
The dropper is delivered as a malicious attachment in a phishing email.
The EnvyScout dropper is a self-contained HTML file.
Further, all versions of EnvyScout contain an encoded blob that contains the payload. The payload is Base64, and is XOR’d with a single byte key. The payload is written to disk using the modified FileSaver code.
Finally, all versions of EnvyScout contain a small piece of code used to decode the ISO in the XOR’d blob containing the Base64 code. This will write a file NV.img to disk, which the user much then execute.
When a user executes the file, Windows 10 will mount the file as with any disk image. The interior contents of the image include a visible shortcut file bearing the name “NV.lnk.” There are also two hidden files, including a folder also named “NV” and an executable called “BOOM.exe.” “NV.lnk” links to “BOOM.exe.”
Some variants of EnvyScout contained execution guardrails that checked the window.location.pathname to verify that the first two entries in the array were “C” and “:” to ensure the file was running on disk. If any other values were found, the ISO is not written to disk.
Other variants also conducted additional reconnaissance by inspecting the user agent string to determine if the user was executing the file in a Windows environment. If the user was determined to be in an iOS environment they were redirected to external infrastructure.
EnvyScout does not exhibit any persistence mechanisms. Instead, persistence is achieved with the dropped payload.
In some versions of EnvyScout, the file contains two URLs.
When the HTML file is opened, an attempt is made to establish a connection to the malicious command and control (C2) server by using the first URL prefixed with the “file://” protocol on port 445. This is an attempt by the actor to gather sensitive NTLMv2 data which can then be leveraged for brute forcing.
The second URL fetches an image, which acts similarly to a tracking pixel.