Microsoft warns of USAID impersonation of the current Nobleium phishing campaign

Image: Microsoft

There is Microsoft Warning Nobleium is currently conducting a phishing campaign after a Russian-backed group took control of an account used by USAID on the email marketing platform Constant Contact.

The Fisheries campaign targets about, 000,000 accounts belonging to government agencies, think tanks, consultants and NGOs, Microsoft said. The United States has received most malicious emails, but it has reached at least 24 countries.

“Nobellium launched this week’s attacks by gaining access to USAID’s Constant Contact account,” said Tom Burt, Microsoft’s corporate vice president of consumer protection and trust.

“From there, the actor was able to deliver phishing emails that looked authentic but contained a link that, when clicked, inserted a malicious file that we used to call backdoor. This backdoor could enable a wide range of activities from data theft to a network.” Infecting other computers. ”

Burt added that many emails had been blocked, and there was no reason to think that these attacks involved any risk to Microsoft products.

The campaign was discovered in February, and Microsoft observed that Nobellium was changing its approach to getting its bad code on the victim’s computer. Post Said from the Microsoft Threat Intelligence Center (MTIC).

In one instance, if a Nobleium-controlled server detects an Apple iOS device, it WebKit worldwide cross site scripting vulnerabilities. Apple said Wednesday it is aware of the active exploitation of vulnerabilities.

“There was a lot of repetition in the May 2 campaign. One example shows that the emails came from USAID, while the authentic sender had an email address that matched the standard constant contact service,” MTIC said.

“This address (which varies for each recipient) ends at @ … and the response address appears.”

Once the link is clicked, a malicious ISO is delivered with a decoy document, a shortcut, and a malicious DLL cobalt strike beacon loader that Microsoft has dubbed Netivozone. If the shortcut is run, the DLL is executed and closed for noblem races.

β€œThe successful deployment of these payloads enables Nobellium to gain continued access to contracted machines,” MTIC said.

“So, the successful implementation of these malicious payloads could enable Nobellium to perform tasks such as lateral movement, data exfoliation, and the distribution of additional malware.”

MTIC used cobalt strike beacons to command and control infrastructure using port 3 port3 and provided an agreement indicator in its post.

“It’s clear that part of Nobleium’s playbook is to gain access to trusted technology providers and infect their customers. By updating software and now on mass email providers, Nobleium increases the likelihood of collateral damage to spying operations and lowers trust in the technology ecosystem,” Burt said.

“This is another example of how cybersecurity has become a tool of choice for the focus of this attack on human rights and humanitarian organizations to meet the diverse political objectives of the growing nation-states.”

Burt called on nations to follow the rules for online operating, and for violations there.

“Microsoft will work closely with governments and the private sector to advance the cause of digital peace,” he said.

Nobellium is well known SolarWinds Hack Supply Chain Nine federal agencies and about 100 U.S. companies actually saw the backdoor planted in thousands of organizations to make deals and steal information from them.

Microsoft has been called before Pieces of malware Experiment by group.

Mimecast said some of it in March Source code and customer records Solarwinds was taken as part of the attack.

Related coverage

Leave a Comment