The Kremlin-backed hackers who attacked SolarWinds customers in a supply chain attack were caught conducting a malicious email campaign targeting 150 government agencies, research institutes and other organizations in the US and 23 other countries with malware -Linked, said Microsoft.
The hackers working for the Russian foreign intelligence service initially succeeded in compromising an account with USAID, a US government agency that manages civil and development aid. With control of the agency’s account for online marketing company Constant Contact, the hackers had the ability to send emails that appear to use addresses owned by the US agency.
Nobelium becomes native
“From there, the actor was able to distribute phishing emails that looked authentic but contained a link that, when clicked, included a malicious file that was used to distribute a backdoor we call NativeZone,” wrote Tom Burt, Vice President, Customer Safety and Trust at Microsoft A post posted Thursday night. “That back door could enable a wide range of activities from stealing data to infecting other computers on a network.”
The campaign was run by a group called Microsoft Nobelium, also known as APT29, Cozy Bear, and The Dukes. Security firm Kaspersky said the group’s malware dates back to 2008, while Symantec said the hackers have been targeting governments and diplomatic organizations since at least 2010.
Last December, Nobelium’s notoriety reached a new high with the discovery that the group was behind the devastating breach of SolarWinds, an Austin, Texas-based network management tool maker. After the software thoroughly compromised SolarWinds’ development and distribution system, the hackers distributed malicious updates to approximately 18,000 customers who used the tool called Orion. The hackers then used the updates to compromise nine federal agencies and about 100 private sector companies, White House officials said. advertising
Blast from the past
On Tuesday, Nobelium blasted 3,000 different addresses with emails allegedly intended to convey a special warning from USAID regarding new documents former President Trump released about election fraud. One of the emails looked like this:
As the following image shows, the image contained a PDF file, an LNK file named “Reports”, and a DLL file named “Documents” which was hidden by default.
When a target clicked on the report file, it would open the PDF file as a decoy and run the DLL file in the background. The DLL, in turn, installed the NativeZone back door. A separate post published by the Microsoft Threat Intelligence Center (MSTIC) states that Nobelium was able to gain permanent access to compromised computers through the back door, allowing the group to “perform goals of action such as sideways movement, data exfiltration and deployment of additional malware . “
Tuesday’s attack was just the latest wave of MSTIC, a widespread malicious spam campaign that began in late January. Since then, the campaign has evolved in a series of iterations that have shown “significant experiments”.
The sequence of this last phase of the attack was as follows:
iOS zero day
Nobelium continued to experiment with several variations. No ISO payload at all was delivered in one wave. Instead, a Nobelium-controlled web server profiled the target device. In the event that the target device was an iPhone or iPad, a server delivered a then Zeroday exploit for CVE-2021-1879, an iOS vulnerability that allowed hackers to carry out a universal cross-site scripting attack. Apple patched the Zeroday at the end of March.
The MSTIC contribution from Thursday evening continued:
The experiments continued for most of the campaign but escalated in April 2021. During the April waves, the actor stopped using Firebase and stopped tracking users through a dedicated URL. Their techniques have been moved to encode the ISO within the HTML document and make those responsible for storing target host details on a remote server using the api.ipify.org service. The actor sometimes used audits for specific internal Active Directory domains that stop the malicious process from running if it identifies an unintended environment.
In May 2021, the actor changed the techniques again, keeping the HTML and ISO combo, but dropped a custom .NET first stage implant recognized as TrojanDownloader: MSIL / BoomBox, reporting host-based reconnaissance data to and additional Payloads downloaded from the Dropbox cloud storage platform.
On May 25, the NOBELIUM campaign escalated significantly. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target around 3,000 individual accounts in more than 150 organizations. Due to the large volume campaign, automated systems blocked most emails and marked them as spam. However, automated systems may have successfully delivered some of the earlier emails to recipients.
The security company Volexity published its own article on Thursday, which contains further details. Below: The Documents.DLL file has been checked for the presence of security sandboxes and virtual machines on target computers, as shown here:
Both MSTC and Volexity provided several indicators of tradeoffs that companies can use to determine if they were targeted in the campaign. MSTC went on to warn that this week’s escalation likely won’t be the last we’ll see from the Nobelium or its ongoing email campaign.
“Microsoft security researchers estimate that the Nobelium spear phishing operations have recurred and increased in frequency and scope,” concluded the MSTC contribution. “The group is expected to be able to perform additional activities as tactics evolve.”