Microsoft has found a huge spear-phishing campaign executed by the Russian Advanced Persistent Threat (APT) group, which is responsible for the SolarWinds Orion supply chain attack.
Since January 2021, Microsoft has tracked the APT group as Nobelium along with its spear-phishing campaign. The APT group has been testing various delivery strategies, such as leveraging the Google Firebase platform to transmit a malicious ISO file through HTML email attachments that have different malware payloads.
Nobelium amplified the campaign on May 25, 2021 when it began employing the Constant Contact mass-mailing service to deliver communications to targets in a broad variety of industry verticals. The most recent campaign targeted about 3,000 individual accounts throughout 150 companies, the majority of which were in the U.S.A. Every target had its own distinct infrastructure and tooling, which has allowed the group to remain under the radar.
The attackers acquired access to the U.S. Agency for International Development (USAID) Constant Contact account and routed spear-phishing messages disguised as a USAID Special alert. The email messages have got a reply-to address on the usaid.gov domain and were dispatched from the in.constantcontact.com domain.
The messages stated that Donald Trump has posted new docs on election fraud, with the emails sharing a button to click to go look at the files. When the recipient clicks the hyperlink in the email message, they are led to the genuine Constant Contact service, and then rerouted to a web address controlled by Nobelium that transmits a malicious ISO file. In the ISO file are a lure document, a .lnk shortcut that operates a Cobalt Strike Beacon loader, as well as a malicious DLL file, a Cobalt Strike Beacon loader and backdoor, that Microsoft dubbed NativeZone.
As soon as the payloads are implemented, Nobelium gets persistent access to compromised systems and could eventually complete other goals like lateral movement, data exfiltration, and the transmission of more malware.
An earlier campaign in May likewise utilized the combo of HTML and ISO files, which dropped a .NET first-stage implant, TrojanDownloader:MSIL/BoomBox, and used it for reconnaissance and to get added malicious payloads via Dropbox.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FB I) are investigating the phishing campaign. Constant Contact released a statement confirming the compromise of the account credentials of a customer. It stated that the incident was an isolated occurrence, and the affected accounts had been temporarily disabled while working with customers and law enforcement.
Microsoft has cautioned that the methods, techniques, and procedures employed by Nobelium have had a big rate of progress. It is expected that more activity may be completed by the group utilizing an improving set of strategies.
Microsoft has released Indicators of Compromise (IoCs) and has recommended a number of mitigations that may minimize the impact of this threat, which includes the use of antivirus software program, employing network protection to avert applications or users from going to malicious domains, and using multi-factor authentication to stop the usage of breached credentials.