Microsoft has Uncovered New Email Attacks from Nobelium Threat Actor, the threat actor behind the SolarWinds attacks. The attacks were escalated on 25-May-2021 when Nobelium runs this campaign by impersonating the service offered by a legitimate email marketing service Constant Contact, a US-based organization, and distribute malicious emails to a wide variety of organizations. Let’s see what information Microsoft has revealed about the new email attacks from Nobelium. See the captured IOCs with
The report tells that the attack is spread across the globe targeting more than 150 organizations linked to think tanks, consultants, government, and non-governmental organizations.
Threat Actor will send a phishing email to the target with an HTML file as an attachment.
A JavaScript within the HTML file will write an ISO file to disc and attract the victim to open the ISO file. The ISO file is mounted much like an external or network drive.
From here, a shortcut file (.lnk) Cobalt Strike Beacon DLL on the system.
Nobelium has made several changes to the HTML file based on the type of the target. Microsoft has observed several experiments from Nobelium. One such was removing the ISO from Firebase and instead encoding it within the HTML document. In the second instance, Nobelium experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In the third example, Nobelium removed the HTML in the phishing email, and instead, a URL led to an independent website spoofing the targeted organizations from where the ISO was distributed. In some cases, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link.
IP Addresses:
192[.]99[.]221[.]77
83[.]171[.]237[.]173
Domain Names:
usaid.theyardservice[.]com
worldhomeoutlet[.]com
dataplane.theyardservice[.]com
cdn.theyardservice[.]com
static.theyardservice[.]com
theyardservice[.]com
Emails:
ashainfo@usaid.gov
mhillary@usaid.gov
File Hashes:
2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252
d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142
94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916
48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0
ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c
ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330
IP Address:
139[.]99[.]167[.]177
185[.]158[.]250[.]239
195[.]206[.]181[.]169
37[.]120[.]247[.]135
45[.]135[.]167[.]27
51[.]254[.]241[.]158
51[.]38[.]85[.]225
URLs:
74d6b7b2[.]app[.]giftbox4u[.]com
cdnappservice[.]firebaseio[.]com
cdnappservice[.]web[.]app
content[.]pcmsar[.]net
eventbrite-com-default-rtdb[.]firebaseio[.]com
humanitarian-forum[.]web[.]app
humanitarian-forum-default-rtdb[.]firebaseio[.]com
logicworkservice[.]web[.]app
security-updater[.]web[.]app
security-updater-default-rtdb[.]firebaseio[.]com
supportcdn[.]web[.]app
supportcdn-default-rtdb[.]firebaseio[.]com
Domains:
tacomanewspaper[.]com
techiefly[.]com
theadminforum[.]com
trendignews[.]com
stockmarketon[.]com
stsnews[.]com
newsplacec[.]com
newstepsco[.]com
pcmsar[.]net
financialmarket[.]org
theyardservice[.]com
hanproud[.]com
holescontracting[.]com
emergencystreet[.]com
enpport[.]com
aimsecurity[.]net
cityloss[.]com
cross-checking[.]com
dailydews[.]com
doggroomingnews[.]com
giftbox4u[.]com
Follow these recommendations to reduce the impact of this threat:
Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.
Analyze Firewall and Internet proxy logs for the presence of given IOCs.
Avoid handling files or URL links in emails, chats or shared folders from untrusted sources.
Isolate the suspected systems from the network to stop spreading infections over the network.
Keep Anti-malware solutions at endpoint and network level updated at all time.
Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.
Provide phishing awareness trainings to your employees/contractors.
Thanks for reading this article. Please read more such interesting articles here:
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.