Threat Update
Microsoft has actively been tracking a surge in spear phishing activity conducted by ‘Nobelium,’ the group behind the SUNBURST backdoor, TEARDROP and GoldMax malware.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The threat group ‘Nobelium’ has historically targeted government organizations, think tanks, the military, IT service providers, telecom providers, and health and tech research companies. However, Microsoft’s Threat Intelligence Center (MSTIC) has tracked significant phishing activity targeting more than 3,000 individual email addresses. The phishing campaign is still ongoing and utilizing the email service Constant Contact to distribute malicious emails to the masses while attempting to remain undetected. Nobelium uses the Constant Contact service to attempt to hide their malicious links behind the mailing service’s URL. MSTIC has also stated that the campaign seemed to evolve as the campaign progressed.
Microsoft has detailed that the campaign initially utilized Google’s Firebase platform to stage a malicious ISO file which would eventually be downloaded to the target machine while also gaining insight into the end user’s interaction with the email and embedded links by recording who clicked on the links. According to MSTIC, the initial phase of the campaign did not compromise any systems, which indicates that the threat actor was conducting reconnaissance. Following the initial phase, Nobelium embedded their malicious ISO file into an HTML file attached to the email. When a user clicks on the attachment, JavaScript within the HTML document it will mount the ISO file as a drive and eventually execute Cobalt Strike on the device. The group implemented additional changes to their campaign such as decommissioning their use of Firebase and solely utilizing the embedded HTML doc.
The latest iteration of the campaign spoofed the USAID domain (ashainfo@usaid.gov), has an authentic sender address following the standard Constant Contact addressing scheme with the domain ending in ‘@in.constantcontact.com’, and specifies ‘mhillary@usaid.gov’ as the reply-to address.
WHY IS IT NOTEWORTHY?
Nobelium is a top tier threat actor who previously exploited the SolarWinds Orion platform to compromise over 18,000 organizations across the globe and have proven that they are a very sophisticated and capable hacking group. Microsoft’s cited examples detailing evidence of evolution and experimentation is cause for concern as the threat actor is actively attempting to remain undetected and implement more sophisticated means of compromising targeted systems.
WHAT IS THE EXPOSURE OR RISK?
The campaign targeted 150 organizations and roughly 3,000 user accounts. Most of the emails were blocked by automated systems due to the high volume of outbound emails, however, some emails may have been delivered successfully to the recipients.
WHAT ARE THE RECOMMENDATIONS?
Organizations should ensure they utilize strong spam filtering and email protection as well as continuously conduct training exercises to educate employees on how to spot, report, and act against phishing emails. Additionally, implementing alarms for and blocking any of the IOCs provided by Microsoft at the first reference link below will indicate any traffic to the Cobalt Strike C2 servers or domains hosting the malware.
- Implement email protection.
- Continuously educate employees on phishing attacks.
- Ensure endpoint protection is up to date with the latest signatures.
- Block IOCs provided by Microsoft.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://i0.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2021/05/post-COVID-19-emails.png?ssl=1
- https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
If you have any questions, please contact our Security Operations Center.
