Microsoft has uncovered a massive spear phishing campaign carried out by the Russian Advanced Persistent Threat (APT) group associated with the SolarWinds Orion supply chain attack.
As of January 2021, Microsoft has monitored the APT group as Nobelium and also its spear-phishing campaign. The APT group is doing trial and error different delivery tactics, which include taking advantage of the Google Firebase system to present a malicious ISO file by using HTML email attachments that give various malware payloads.
Nobelium increased the campaign on May 25, 2021 when it commenced utilizing the Constant Contact mass-mailing service to send emails to targets in a broad selection of industry verticals. The newest campaign attacked approximately 3,000 personal accounts all through 150 businesses, many of which were in the U.S. Each and every target had its own exclusive infrastructure and tooling, which has permitted the group to keep under the radar.
The attackers accessed the U.S. Agency for International Development (USAID) Constant Contact account and sent spear-phishing messages masked as a USAID Special notification. The emails include a reply-to address on the usaid.gov domain and were delivered from the in.constantcontact.com website.
The messages mentioned that Donald Trump has released new information on election fraudulence, with the email messages having a button to click to check out the docs. In case the recipient clicks the URL in the message, they are sent to the legit Constant Contact service, and then forwarded to a website address manipulated by Nobelium that sends a malicious ISO file. The ISO file serves as a bait file and includes a .lnk shortcut that runs a Cobalt Strike Beacon loader, and also a malicious DLL file, a Cobalt Strike Beacon loader and backdoor, which Microsoft referred to as NativeZone.
When the payloads are used, Nobelium obtains persistent access to compromised systems and could later complete more targets for instance lateral movement, information exfiltration, and the sending of more malware.
A prior campaign in May additionally employed the mix of HTML and ISO files, which slipped a .NET first-stage implant, TrojanDownloader:MSIL/BoomBox, and utilized it for reconnaissance and to obtain added malicious payloads through Dropbox.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are looking into the phishing campaign. Constant Contact gave a statement affirming the breach of the account login information of one of its customers. It explained that the breach was a singled out case, and the impacted accounts had been momentarily deactivated while cooperating with customers and authorities.
Microsoft has given notice that the strategies, techniques, and processes utilized by Nobelium have had a great rate of development. It is predicted that extra activity may be performed by the group employing a changing set of techniques.
Microsoft has publicized Indicators of Compromise (IoCs) and has advised various mitigations that may cut down the effect of this threat, such as the usage of antivirus applications, employing network protection to stop applications or users from interacting with malicious domains, and using multi-factor authentication to avert using breached credentials.