The cyber-criminal group behind the notorious SolarWinds attack is at work again with a sophisticated mass email campaign aimed at delivering malicious URLs with payloads enabling network persistence, so the players can conduct further illegal activities.
Microsoft uncovered the SolarWinds crooks using mass-mail service Constant Contact & posing as a US-based development organisation to deliver malicious URLs to more than 150 organisations.
Masquerading
Microsoft Threat Intelligence Centre (MSTIC) began tracking this latest campaign of Nobelium (previously known as Solarigate) in late Jan. when it was in the reconnaissance stage, & observed as it “evolved over a series of waves demonstrating significant experimentation,” according to a blog post by the Microsoft 365 Defender Threat Intelligence Team.
On Tues., researchers observed an escalation in the effort as the threat group began masquerading as a US-based development organisation to distribute emails – including the malicious URLs – using a legitimate mass-emailing service, Constant Contact, they stated. The threat players targeted a wide variety of organisations & industry verticals.
Backdoor
In addition to the widely disruptive SolarWinds incident, Nobelium is also the group behind the Sunburst backdoor, Teardrop malware & GoldMax malware. The group historically has targeted a wide range of organisations, including govt. institutions, NGOs, think tanks, the military, IT service providers, health technology & research companies & groups, & telecommunications providers.
The targets in the latest attack, which is ongoing, are 3,000 individual accounts across more than 150 organisations, “employing an established pattern of using unique infrastructure & tooling for each target, increasing their ability to remain undetected for a longer period of time,” researchers observed.
Tradecraft
During the SolarWinds attack, Nobelium infected targets by pushing out the custom Sunburst backdoor via trojanised product updates to nearly 18,000 organisations around the globe. In this way, the attack, which started in Mar. 2020, remained undetected until Dec., giving the attackers time to pick & choose which organisations to further penetrate and resulting in a sprawling cyber-espionage campaign that significantly affected the US Govt. & tech companies, among others.
There are a number of key differences between that attack & this latest campaign, which researchers attributed to “changes in the actor’s tradecraft & possible experimentation following widespread disclosures of previous incidents,” they explained.
Changing Tactics
MSTIC observed Nobelium changing tactics several times over the course of its latest campaign. After initial reconnaissance, the group mounted a series of spear-phishing campaigns from Feb. to April with a similar intent: to compromise systems through an HTML file attached to the email.
Throughout those months, the group experimented with alterations to both the email & the HTML document & the way it infected victims’ machines, researchers observed.
Initially, after a targeted user opened the malicious file, a JavaScript within the HTML would write an ISO file to disk & encourage the target to open it. This would result in the ISO file being mounted much like an external or network drive, & a shortcut file (LNK) would execute an accompanying DLL, resulting in Cobalt Strike Beacon executing on the system, researchers explained.
Firebase
Further versions through April saw Nobelium experimenting with removing the ISO from Firebase & instead encoding it within the HTML document; redirecting the HTML document to an ISO that contained an RTF document that had the malicious Cobalt Strike Beacon DLL encoded within it; & sending phishing emails with no accompanying HTML & instead using a URL linking to an independent website spoofing the targeted organisations to distribute the ISO.
The campaign really increased in May, when the group began to use Constant Contact to target around 3,000 individual accounts across more than 150 organisations, researchers outlined.
“Due to the high-volume campaign, automated systems blocked most of the emails & marked them as spam,” researchers noted. “However, automated systems might have successfully delivered some of the earlier emails to recipients.”
Mass Email Service
It was during this phase of the attack that Nobelium began impersonating an organisation called the US Agency for International Development, or USAID, & using an authentic sender email address that matches the standard Constant Contact service, researchers noted. The address varied for each recipient & ended in <@in.constantcontact.com> with a Reply-To address of <mhillary@usaid.gov>.
The emails claimed to be an alert from USAID about new documents published by former President Donald Trump about “election fraud,” which Trump erroneously claimed occurred in the 2020 election that he lost to President Joe Biden.
If a user clicked the link on the email, the URL would direct them to the legitimate Constant Contact service & then redirected to Nobelium-controlled infrastructure through a URL that delivers a malicious ISO file, according to researchers.
End Result
“The end result when detonating the LNK file is the execution of ‘C:\Windows\system32\rundll32.exe Documents.dll,Open’”, researchers observed. “The successful deployment of these payloads enables Nobelium to achieve persistent access to compromised systems.”
This persistence, in turn, enables the group to execute further malicious objectives, such as lateral movement, data exfiltration & delivery of additional malware, they added.
MSTIC recommended a number of mitigations against the campaign as well as indicators of compromise to help an organisation identify if it is being targeted or if its systems are potentially infected.
