Microsoft has Uncovered New Email Attacks from Nobelium Threat Actor, the threat actor behind the SolarWinds attacks. The attacks were escalated on 25-May-2021 when Nobelium runs this campaign by impersonating the service offered by a legitimate email marketing service Constant Contact, a US-based organization, and distribute malicious emails to a wide variety of organizations. Let’s see what information Microsoft has revealed about the new email attacks from Nobelium. See the captured IOCs with
Who Are the Primary Targets of This Mew Email Attack From Nobelium?
The report tells that the attack is spread across the globe targeting more than 150 organizations linked to think tanks, consultants, government, and non-governmental organizations.
How is the Nobelium Email Campaign Designed to Deliver the Malware?
- Threat Actor will send a phishing email to the target with an HTML file as an attachment.
- From here, a shortcut file (.lnk) Cobalt Strike Beacon DLL on the system.
Different Attack Vectors of These New Email Attacks From Nobelium:
Nobelium has made several changes to the HTML file based on the type of the target. Microsoft has observed several experiments from Nobelium. One such was removing the ISO from Firebase and instead encoding it within the HTML document. In the second instance, Nobelium experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In the third example, Nobelium removed the HTML in the phishing email, and instead, a URL led to an independent website spoofing the targeted organizations from where the ISO was distributed. In some cases, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link.
Indicators of Compromise (IOCs) Captured During the Analysis of ‘Email Attacks From Nobelium’
New IOCs Captured as on 2nd June 2021
How to Be Protected From the New Nobelium Email Campaign?
Follow these recommendations to reduce the impact of this threat:
- Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.
- Analyze Firewall and Internet proxy logs for the presence of given IOCs.
- Avoid handling files or URL links in emails, chats or shared folders from untrusted sources.
- Isolate the suspected systems from the network to stop spreading infections over the network.
- Keep Anti-malware solutions at endpoint and network level updated at all time.
- Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.
- Provide phishing awareness trainings to your employees/contractors.
Thanks for reading this article. Please read more such interesting articles here: