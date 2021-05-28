



According to Microsoft, a Kremlin-backed hacker targeting SolarWinds customers in a supply chain attack is malicious in delivering links containing malware to 150 government agencies, research institutes, and other organizations in the United States and 23 other countries. I was discovered running an email campaign.

A hacker belonging to the Russian Foreign Intelligence Service first compromised an account belonging to USAID, the US government agency that manages private foreign and development assistance. By managing the agency account of online marketing firm Constant Contact, hackers were able to send emails that appeared to be using addresses known to belong to US agencies.

Nobelium will be native

From there, the actor was able to distribute a phishing email that looked real, but when clicked, it contained a link to insert a malicious file used to distribute a backdoor called the Native Zone. It was released on Thursday night. This backdoor can enable a wide range of activities, from data theft to infecting other computers on the network.

The campaign was run by a group called Nobelium by Microsoft, also known as APT29, Cozy Bear, and Dukes. Security company Kaspersky says malware in this group dates back to 2008, but Symantec says hackers have targeted governments and diplomatic organizations since at least 2010. here. Last December, Nobeliums’ notoriety reached new heights with the discovery that the group was behind a catastrophic breach of SolarWinds in Austin, Texas, a manufacturer of network management tools. After a thorough breach of the SolarWinds software development and distribution system, hackers distributed malicious updates to approximately 18,000 customers using a tool called Orion. Hackers have used the update to infringe nine federal agencies and about 100 private sectors, according to White House officials.Advertising blast from the past

On Tuesday, Nobelium blew up 3,000 different addresses in an email aimed at delivering a special warning from USAID regarding a new document announced by former President Trump about the election fraud. One of the emails looks like this:

Microsoft

According to Microsoft, the person who clicked the link was first delivered to a legitimate Constant Contact service, but soon afterwards was redirected to a file hosted on a server belonging to Nobelium. When the target was redirected, JavaScript automatically downloaded the visitor’s device to a type of archive file called an ISO image.

As the image below shows, the ISO image contained a PDF file, an LNK file named Reports, and a DLL file named documents, which are hidden by default.

Microsoft

Microsoft

When the target clicked on the report file, the PDF was opened as a decoy and the DLL file ran in the background. Next, the DLL installed the NativeZone backdoor. According to another post published by the Microsoft Threat Intelligence Center (MSTIC), backdoors allow Nobelium to provide permanent access to compromised machines, allowing groups to move laterally, leak data, and add additional. You can perform action actions such as delivering malware.

The attack on Tuesday was the latest wave that MSTIC said was a widespread malicious spam campaign launched in late January. Since then, the campaign has evolved through a series of iterations, demonstrating important experiments.

When Microsoft first saw the campaign, it hosted ISO on Firebase, Google’s own cloud platform for mobile and web apps. According to Microsoft, in this early iteration, the ISO image did not contain a malicious payload, so corporate researchers concluded that the goal was to record the attributes of the user who accessed the URL. It was. In a later phase, the campaign sent an email containing an HTML file. When opened, JavaScript wrote the ISO image to disk and prompted the target to open it.

The flow of this latter attack phase is as follows.

Microsoft

iOS zero-day

Nobelium continued to experiment with multiple variations. In one wave, the ISO payload was not delivered at all. Instead, a Nobelium-controlled web server profiled the target device. If the target device is an iPhone or iPad, the server delivered a zero-day exploit for CVE-2021-1879. This is an iOS vulnerability that allowed hackers to perform universal cross-site scripting attacks. Apple patched zero-day in late March.

Thursday night, MSTIC’s post continued.

The experiment continued throughout most of the campaign, but began to escalate in April 2021. During the April wave, actors stopped using Firebase and stopped tracking users using dedicated URLs. Their technology is responsible for shifting to encoding the ISO within the HTML document and using the api.ipify.org service to store the target host details on the remote server. Actors may employ checks on certain internal Active Directory domains that terminate the execution of malicious processes if they identify an unintended environment.

In May 2021, the actor changed the technology again by maintaining a combination of HTML and ISO, but was detected as TrojanDownloader: MSIL / BoomBox, reporting host-based reconnaissance data and downloading additional payloads. Dropbox Cloud Storage Platform from Dropping Custom .NET Phase 1 Implants.

On May 25th, the NOBELIUM campaign escalated significantly. NOBELIUM sought to target approximately 3,000 personal accounts in over 150 organizations using Constant Contact, a legitimate mass email service. Due to the large number of campaigns, the automated system blocked most emails and marked them as spam. However, the automated system may have successfully delivered some of the previous email to the recipient.

Meanwhile, security firm Volexity published its own post on Thursday to provide more details. Among them: The Documents.DLL file checked the target machine for the presence of security sandboxes and virtual machines, as shown below.

Volexity

Both MSTC and Volexity provided multiple indicators of infringement that an organization could use to determine if it was eligible for a campaign. The MSTC further warned that this week’s escalation may not be the last common sight of Nobelium or its ongoing email campaign.

The MSTC post concludes that Microsoft security researchers rate Nobeliums spear phishing operations as recurring, increasing in frequency and scope. It is expected that additional activities may be performed by the group using an evolving set of tactics.

