ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
HR Photos for Marina

Threat Flash Alert: Nobelium Spear-Phishing Campaign

Executive Summary

Microsoft’s Threat Intelligence Center (MSTIC) has released an advisory pertaining to a new Spear-Phishing campaign by the Russian threat group dubbed Nobelium.  Nobelium has been labeled responsible for the Solar Winds compromise that took place in 2020.   The start date for this campaign dates back to January 28th, 2021.  However, the campaign escalated in late May of 2021.  Additional information beyond what is provided in this Threat Flash Alert is available in the linked sources below.

Details

MSTIC initially discovered the campaign in February 2021, by identifying a wave of phishing emails that leveraged the Google ‘Firebase’ platform to stage an ISO file containing malicious content. They utilized this platform to also record attributes of those who access the URL.

This new campaign is taking advantage of the legitimate service Constant Contact to send these malicious links.  The initial wave of these phishing emails appeared as a USAID special alert and contain links to this USAID “special Alert”.

This email affects email platforms and device types in different ways, including Apple and Linux machines.  This is considered a spear-phishing campaign as the emails are tailored for the individual organizations they are targeting.

The email sender address is oriented different for each recipient but all end with the same @ domain “@in.constantcontact.com”.  Due to the sender address these phishing emails easily bypass spam filters.

The current stage of this campaign aims to compromise systems through an HTML file attached to the spear-phishing email.  When this file is opened by the user, a JavaScript within the HTML file writes an ISO file to disc and then encourages the target to open it. This results in the ISO file being mounted similar to an external or network drive.

After being mounted a shortcut file (LNK) executes a DLL which installed and executes a Cobalt Strike Beacon.

Below is an example of the phishing sent by the threat actor impersonating the U.S. Agency for International Development:

May 25th campaign Indicators of Compromise:

 

INDICATOR TYPE DESCRIPTION
ashainfo@usaid.gov Email Spoofed email account
mhillary@usaid.gov Email Spoofed email account
2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 SHA-256 Malicious ISO file (container)
d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 SHA-256 Malicious ISO file (container)
94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 SHA-256 Malicious ISO file (container)
48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 SHA-256 Malicious shortcut (LNK)
ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c SHA-256 Cobalt Strike Beacon malware
ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 SHA-256 Cobalt Strike Beacon malware
usaid.theyardservice[.]com Domain Subdomain used to distribute ISO file
worldhomeoutlet[.]com Domain Subdomain in Cobalt Strike C2
dataplane.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
cdn.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
static.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
192[.]99[.]221[.]77 IP address IP resolved to by worldhomeoutlet[.]com
83[.]171[.]237[.]173 IP address IP resolved to by *theyardservice[.]com
theyardservice[.]com Domain Actor controlled domain

MITRE ATT&CK techniques observed

This threat makes use of attacker techniques documented in the MITRE ATT&CK framework

Initial access

T1566.003 Phishing: Spearphishing via Service—NOBELIUM used the legitimate mass mailing service, Constant Contact to send their emails.

T1566.002  Phishing: Spearphishing Link—The emails sent by NOBELIUM includes a URL that directs a user to the legitimate Constant Contact service that redirects to NOBELIUM-controlled infrastructure.

Execution

T1610 Deploy Container—Payload is delivered via an ISO file which is mounted on target computers.

T1204.001 User Execution: Malicious Link—Cobalt Strike Beacon payload is executed via a malicious link (LNK) file.

Command and control

T1071.001 Application Layer Protocol: Web Protocols—Cobalt Strike Beacons call out to attacker infrastructure via port 443.

Recommendations

At this time we are encouraging organizations to investigate and monitor communications matching the characteristics described below.

Currently mitigations include the following:

  • Turning on cloud-delivered protection in your anti-virus or the equivalent in your antivirus products.
  • Run Endpoint Detection and Response (EDR) in block mode
  • Investigate any recent emails from Constant Contact sender domain
  • Inform any employees that this campaign is occurring and to redirect any emails to the appropriate abuse department in your organization and no interaction with the emails should occur
  • Enable network protection from accessing malicious domains or other malicious content
  • Enable Multi-Factor Authentication (MFA) or two-factor authentication
  • Use attack surface reduction rules to block or audit activity associated with this threat. Example rule would be to block all Office applications from creating child processes or block executable files from running unless they meet a prevalence age or trusted list criteria

These may have unintended business consequences, as such it is important to assess and test any security controls implemented for any unforeseen issues that may occur.

SOD Actions

As information is made available, the Security on Demand Threat Recon Unit will continue to monitor these events as information is forthcoming and will update your organization if any patching or additional security controls become available.  Please contact us if you have any questions or concerns regarding this ongoing situation.

Sources

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://threatpost.com/solarwinds-nobelium-phishing-attack-usaid/166531/

https://www.zdnet.com/article/microsoft-warns-of-current-nobelium-phishing-campaign-impersonating-usaid/