Criminals impersonate USAID in phishing attack

The cybercriminal group behind the infamous SolarWinds attack has once again launched a large-scale, sophisticated email campaign with malicious URLs in the payload, which enabled the attackers to carry out further campaigns.

The Microsoft Threat Intelligence Center (MSTIC) began tracking this latest campaign from Nobelium (formerly Solarigate) in late January. According to a blog post by Microsoft’s 365 Defenders Threat Intelligence team, the gang was still in the reconnaissance phase at the time, and it was observed to “evolve all the time.”

On Tuesday, researchers began to observe that the attack had begun to escalate, as the threat group began masquerading as a US-based development group, using the legitimate mass-mailing service Constant Contact to spread emails containing malicious URLs. Attackers target organizations from all walks of life.

In addition to the highly damaging SolarWinds incident, Nobelium is the attack group behind the Sunburst backdoor, Teardrop malware, and GoldMax malware. The group has historically targeted a variety of social organizations, including government agencies, NGOs, think tanks, the military, IT service providers, health technology and research companies and groups, and telecommunications providers.

The latest campaign is underway, targeting 3,000 individual accounts in more than 150 organizations, and the researchers said: “Criminal gangs employ an established model and then use different infrastructure and attack tools for each target, so that they can go undetected for a longer period of time.”

In the SolarWinds attack, Nobelium was able to successfully infect targets by disguising a Trojan as a software update service to push a customized Sunburst backdoor to nearly 18,000 organizations around the world. In this way, the attack that had been going on in March 2020 remained undetected until December, giving the attackers more time to infiltrate the group further and leading to a serious cyber espionage campaign, This greatly affects the information security of the US government and technology companies.

They said there were some key differences between that attack and this latest campaign, which the researchers attributed to “changes in the attacker’s techniques.”

ever-changing tactics

MSTIC observed that Nobelium changed the tactics of the attack several times over the course of its latest attack. After completing the initial reconnaissance, the group launched a series of spear-phishing campaigns from February to April aimed at compromising systems via HTML attachments in emails.

During these months, the group has made modifications to both email and HTML files, as well as the way it infects victims’ machines, the researchers observed.

Initially, after the target user opens the malicious file, JavaScript in the HTML writes an ISO file to disk and instructs the user to open it. The researchers say this will enable the mounting of the ISO file, and one of the shortcut files (LNK) will execute an accompanying DLL file, allowing the Cobalt Strike Beacon to execute on the system.

In an update iteration in April, Nobelium removed the ISO file from Firebase and instead encoded it in an HTML document; redirected the HTML document to an ISO file containing an RTF document that encoded the malicious Cobalt Strike Beacon DLL.

The campaign became frequent in May, when the group began using Constant Contact to target roughly 3,000 individual accounts of more than 150 organizations, the researchers said.

“Due to a high volume of recent attacks, security systems have blocked most emails and marked them as spam,” the researchers noted. However, the system may have delivered some emails to recipients early on. .

Use mass mailing services

The researchers noted that it was during this phase of the attack that Nobelium began impersonating an organization called the United States Agency for International Development (USAID) and successfully spoofed a sender email address identical to the standard Constant Contact service. Each recipient’s address is different and ends with < @in.constantcontact.com >, and the reply-to address is < [email protected] >.

The emails purport to be an alert from USAID about documents released by former President Donald Trump about “election cheating” that Trump claims led to his loss to President Joe Trump in the 2020 election. Biden.

According to the researchers, if a user clicked on a link on the email, the URL would direct them to the legitimate Constant Contact service, which then redirected to Nobelium-controlled infrastructure via a URL that served a malicious ISO file.

“Clicking on the LNK file ends up executing ‘C:Windowssystem32rundll32.exe’, and the successful deployment of these payloads enables Nobelium to have persistent access to the attacked system,” the researchers noted.

This persistence also enables the group to conduct further malicious attacks, such as lateral movement, data exfiltration and malware delivery, they added.

MSTIC recommends a number of measures to address this campaign that can help an organization identify if it is being targeted or if its systems are potentially at risk of infection.

The Links:   DMC-50799 B104SN03-V2 IGBT-MODULE