Solarwinds hackers are back with a new common campaign, Microsoft says

Microsoft said Kremlin-backed hackers who targeted Solar Winds customers in a supply chain attack were running a malicious email campaign that was leaked by malware to government agencies, research institutes and the United States and 23 other countries.

Russia’s foreign intelligence service has been working to make the actual transcript of this statement available online USAID, A U.S. government agency that administers civilian foreign aid and development assistance. With control of the agency’s account for the online marketing company Constant Contact, hackers had the ability to send emails that appeared to use addresses known to belong to a US agency.

Noblelium is native

“From there, the actor was able to distribute fake emails that looked authentic but included a link that was clicked when we inserted a malicious file used to distribute backdoor calls to Netivozone,” wrote Tom Burt, vice president of consumer protection and trust Microsoft. Post Published Thursday evening. “This backdoor can enable a wide range of activities to infect other computers on the network from data theft.”

The campaign was carried out by a group that Microsoft called Nobellium, also known as APT29, Cozy Bear, and Dukes. Security firm Kaspersky That is to say That group-related malware returns in 2008, while Symantec That is to say Hackers have been targeting governments and diplomatic organizations since at least 2010.

Last December, Nobellium’s notoriety reached a new height when the group was left behind. Catastrophic violation of SolarWinds, An Austin, Texas manufacturer of network management tools. After a good deal on Solarwinds’ software development and distribution system, hackers Delivered malicious updates About 1,000,000 customers use the device, called Orion. The hackers then used the updates to compromise with used federal agencies and 100 private sector companies, White House officials said.

Blast from the past

On Tuesday, Nobleium detonated bombs at 2,000 different addresses with plans to provide special alerts about new documents from USAID that former President Trump had published about election fraud. One of the emails looked like this:


People who clicked on the link were first delivered to a valid constant contact service, but were soon redirected to a file hosted on Nobleium’s servers, Microsoft said. Once the targets were redirected, JavaScript enabled visitor devices to automatically download a type of archive file known as an ISO image.

As the image below shows, the image contains a PDF file, a LNK file Designated reports, and DLL file Named document, which was hidden by default.



When a report is clicked on the report file, it opens the PDF as a decoy and executes the DLL file in the background. DLL, in turn, installed the Netivozone backdoor. A Separate post Published by the Microsoft Threat Intelligence Center, or MSTIC, Backdoor allowed Nobellium to gain consistent access to contracted machines if the group could perform tasks such as “lateral movement, data projection, and distribution of additional malware.”

Tuesday’s attack was the latest wave of what MSTIC said was a widespread malicious spam campaign launched in late January. Since then, the campaign has evolved into a series of revivals that have been shown to be “critical experiments”.

When Microsoft first saw the campaign, it was hosting at ISO FirebaseGoogle’s proprietary cloud platform for mobile and web applications. At the time of this initial revision, Microsoft said there was no hateful payload on the ISO image, with major company investigators concluding that the purpose was to “record the characteristics of those who access the URL.” At a later stage, the campaign sent emails that contained HTML files. When opened, JavaScript writes the ISO image to disk and aims to open it.

The flow of this last attack phase looked like this:


iOS zeroday

Nobleium continued to be used with multiple variations. In one fell swoop, no ISO payload was delivered at all. Instead, a noble-controlled web server profiled the target device. The target device in the program is the iPhone or iPad, what a server then provided for zero exploitation CVE-2021-1879, An iOS risk that allows hackers to launch a global cross-site scripting attack. Apple patches zeroday at the end of March.

Thursday evening’s MSTIC post continued:

The experiment continued through most campaigns, but began to increase in April 2021. During the waves in April, the actor abandoned the use of Firebase, and did not track users after using a dedicated URL. Their technologies have moved to ISO encoding within HTML documents and are responsible for storing targeted host details on remote servers through the use of the service. The actor sometimes uses checks for specific internal active directory domains that end malicious process execution if it identifies an unwanted environment.

In May 2021, the actor changed technologies again by maintaining a combination of HTML and ISO, but dropped a custom .NET first-stage implant to report host-based team as TrojanDownloader: MSIL / Boombox, and download more payloads. From, Dropbox Cloud Storage Platform.

On May 25, the NOBELIUM campaign grew significantly. Using the legal group mail service Content Contact, Nobellium sought to target 3,000 individual accounts in more than 1,150 organizations. Due to high-volume campaigns, automated systems often block emails and mark them as spam. However, automated systems can successfully deliver some previous emails to recipients.

Security firm Volexity, meanwhile, published its Own post Still provides details on Thursday. In it: In the paper. DLL file protection sandbox and virtual machines are shown here for the target machines came check:


Both MSTC and Volescity provided multiple indicators of the agreement that organizations could use to determine if they were targeted in the campaign. The MSTC went on to warn that this week’s increase is unlikely to see the end of Nobellium or its ongoing email campaign.

“Microsoft security researchers estimate that Nobellium’s spear phishing operations have been repeated and have increased in frequency and scope,” the MSTC post concluded. “It is estimated that further activity can be done using strategies developed by the group.”

Leave a Comment