Executive Summary
Microsoft’s Threat Intelligence Center (MSTIC) has released an advisory pertaining to a new Spear-Phishing campaign by the Russian threat group dubbed Nobelium. Nobelium has been labeled responsible for the Solar Winds compromise that took place in 2020. The start date for this campaign dates back to January 28th, 2021. However, the campaign escalated in late May of 2021. Additional information beyond what is provided in this Threat Flash Alert is available in the linked sources below.
Details
MSTIC initially discovered the campaign in February 2021, by identifying a wave of phishing emails that leveraged the Google ‘Firebase’ platform to stage an ISO file containing malicious content. They utilized this platform to also record attributes of those who access the URL.
This new campaign is taking advantage of the legitimate service Constant Contact to send these malicious links. The initial wave of these phishing emails appeared as a USAID special alert and contain links to this USAID “special Alert”.
This email affects email platforms and device types in different ways, including Apple and Linux machines. This is considered a spear-phishing campaign as the emails are tailored for the individual organizations they are targeting.
The email sender address is oriented different for each recipient but all end with the same @ domain “@in.constantcontact.com”. Due to the sender address these phishing emails easily bypass spam filters.
The current stage of this campaign aims to compromise systems through an HTML file attached to the spear-phishing email. When this file is opened by the user, a JavaScript within the HTML file writes an ISO file to disc and then encourages the target to open it. This results in the ISO file being mounted similar to an external or network drive.
After being mounted a shortcut file (LNK) executes a DLL which installed and executes a Cobalt Strike Beacon.
Below is an example of the phishing sent by the threat actor impersonating the U.S. Agency for International Development:
May 25th campaign Indicators of Compromise:
| INDICATOR | TYPE | DESCRIPTION |
| ashainfo@usaid.gov | Spoofed email account | |
| mhillary@usaid.gov | Spoofed email account | |
| 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 | SHA-256 | Malicious ISO file (container) |
| d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 | SHA-256 | Malicious ISO file (container) |
| 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 | SHA-256 | Malicious ISO file (container) |
| 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 | SHA-256 | Malicious shortcut (LNK) |
| ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c | SHA-256 | Cobalt Strike Beacon malware |
| ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 | SHA-256 | Cobalt Strike Beacon malware |
| usaid.theyardservice[.]com | Domain | Subdomain used to distribute ISO file |
| worldhomeoutlet[.]com | Domain | Subdomain in Cobalt Strike C2 |
| dataplane.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| cdn.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| static.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| 192[.]99[.]221[.]77 | IP address | IP resolved to by worldhomeoutlet[.]com |
| 83[.]171[.]237[.]173 | IP address | IP resolved to by *theyardservice[.]com |
| theyardservice[.]com | Domain | Actor controlled domain |
MITRE ATT&CK techniques observed
This threat makes use of attacker techniques documented in the MITRE ATT&CK framework
Initial access
T1566.003 Phishing: Spearphishing via Service—NOBELIUM used the legitimate mass mailing service, Constant Contact to send their emails.
T1566.002 Phishing: Spearphishing Link—The emails sent by NOBELIUM includes a URL that directs a user to the legitimate Constant Contact service that redirects to NOBELIUM-controlled infrastructure.
Execution
T1610 Deploy Container—Payload is delivered via an ISO file which is mounted on target computers.
T1204.001 User Execution: Malicious Link—Cobalt Strike Beacon payload is executed via a malicious link (LNK) file.
Command and control
T1071.001 Application Layer Protocol: Web Protocols—Cobalt Strike Beacons call out to attacker infrastructure via port 443.
Recommendations
At this time we are encouraging organizations to investigate and monitor communications matching the characteristics described below.
Currently mitigations include the following:
- Turning on cloud-delivered protection in your anti-virus or the equivalent in your antivirus products.
- Run Endpoint Detection and Response (EDR) in block mode
- Investigate any recent emails from Constant Contact sender domain
- Inform any employees that this campaign is occurring and to redirect any emails to the appropriate abuse department in your organization and no interaction with the emails should occur
- Enable network protection from accessing malicious domains or other malicious content
- Enable Multi-Factor Authentication (MFA) or two-factor authentication
- Use attack surface reduction rules to block or audit activity associated with this threat. Example rule would be to block all Office applications from creating child processes or block executable files from running unless they meet a prevalence age or trusted list criteria
These may have unintended business consequences, as such it is important to assess and test any security controls implemented for any unforeseen issues that may occur.
SOD Actions
As information is made available, the Security on Demand Threat Recon Unit will continue to monitor these events as information is forthcoming and will update your organization if any patching or additional security controls become available. Please contact us if you have any questions or concerns regarding this ongoing situation.
Sources
https://threatpost.com/solarwinds-nobelium-phishing-attack-usaid/166531/
