Malicious Email Campaign by NOBELIUM

Published on 28 May 2021

Updated on 28 May 2021

Microsoft has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds. The phishing campaign has targeted around 3,000 individual accounts across more than 150 organisations linked to government agencies, think tanks, consultants, and non-governmental organisations. 

 

This new wide-scale malicious email campaign leverages the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organisation to distribute malicious links through phishing emails that looked authentic. Most of the malicious emails have been blocked by automated email threat detection systems and marked as spam. However, some automated systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings, or prior to detections being in place.

 

In the recent attacks observed, if the targeted users clicked on the link in the email, a malicious payload is then delivered to the target's computer. Successful execution of the malicious payload could allow attackers to perform malicious activities such as data exfiltration and the delivery of additional malware.

 

Organisations are advised to monitor their networks and systems for any suspicious activity, and adopt the following measures to reduce the impact of this threat: 

  • Turn on cloud-delivered protection in your anti-virus software to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.

  • Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft anti-virus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.).

  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the Internet.

  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.

  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.

  • Enable multifactor authentication (MFA) to mitigate compromised credentials. 

  • Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes.


To detect the malicious emails, administrators can scan for the following Indicators Of Compromise (IOCs):

Table 1: Indicators of Compromise
INDICATOR TYPE DESCRIPTION
ashainfo[@]usaid[.]gov Email Spoofed email account
mhillary[@]usaid[.]gov Email Spoofed email account
2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 SHA-256 Malicious ISO file (container)
d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 SHA-256 Malicious ISO file (container)
94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 SHA-256 Malicious ISO file (container)
48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 SHA-256 Malicious shortcut (LNK)
ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c SHA-256 Cobalt Strike Beacon malware
ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 SHA-256 Cobalt Strike Beacon malware
usaid.theyardservice[.]com Domain Subdomain used to distribute ISO file
worldhomeoutlet[.]com Domain Subdomain in Cobalt Strike C2
dataplane.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
cdn.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
static.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
192[.]99[.]221[.]77 IP address IP resolved to by worldhomeoutlet[.]com
83[.]171[.]237[.]173 IP address IP resolved to by *theyardservice[.]com
theyardservice[.]com Domain Actor controlled domain
Administrators are encouraged to visit this site regularly to check for updates:
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium

 

More information is available at:
https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds