Microsoft has managed to uncover a wide-scale email campaign launched and operated by ‘NOBELIUM,’ the same group of actors who are considered responsible for the supply-chain attacks against users of the SolarWinds Orion. According to Microsoft’s threat intelligence team, the particular email campaign appears to have started in January 2021 and has signs of rampant experimentation that lasted until May 25, 2021. At that date, NOBELIUM leveraged the mass-mailing service ‘Constant Contact’ to scale up the operation and send out large numbers of emails masquerading as a U.S.-based development organization.
The targeting scope of the attack includes approximately 3,000 accounts across 150 companies and organizations operating in a variety of sectors. The emails carry an HTML file as an attachment, and if the recipient opens that, a JavaScript snippet runs to mount an ISO file as an external or network drive on the machine. In there, an LNK file executes a DLL which launches the Cobalt Strike beacon on the compromised computer.
The mass-scale distribution achieved through ‘Constant Contact’ caused some trouble to NOBELIUM, as the high volumes of incoming mail triggered automated systems that blocked the messages and marked them as spam. However, as Microsoft warns, this doesn’t mean everything was prevented from being delivered.
The latest organization mimicked by the actors is USAID (U.S. Agency for International Development). The messages are presented as alerts about former U.S. President Donald Trump publishing new documents that prove the election fraud claims that shook the country at the start of the year. Of course, the actors could change their spear-phishing theme any time, especially now that this particular one has been unmasked.
For Microsoft, there are three reasons why this campaign is notable:
It is important to note that this campaign is still pretty much active, so checking the indicators of compromise given at the bottom of Microsoft’s analysis could help save you from great troubles. As always, you are advised to enable MFA on all accounts, turn on cloud-delivered protection, and run EDR in block mode.