Security News > 2021 > May > Nobelium Phishing Campaign Poses as USAID

The cybercriminal group behind the notorious SolarWinds attack is at it again with a sophisticated mass email campaign aimed at delivering malicious URLs with payloads enabling network persistence so the actors can conduct further nefarious activities.

Microsoft Threat Intelligence Center began tracking this latest campaign of Nobelium in late January when it was in the reconnaissance stage, and observed as it "Evolved over a series of waves demonstrating significant experimentation," according to a blog post by the Microsoft 365 Defender Threat Intelligence Team.

During the SolarWinds attack, Nobelium infected targets by pushing out the custom Sunburst backdoor via trojanized product updates to nearly 18,000 organizations around the globe.

MSTIC observed Nobelium changing tactics several times over the course of its latest campaign.

Further iterations through April saw Nobelium experimenting with removing the ISO from Firebase and instead encoding it within the HTML document; redirecting the HTML document to an ISO that contained an RTF document that had the malicious Cobalt Strike Beacon DLL encoded within it; and sending phishing emails with no accompanying HTML and instead using a URL linking to an independent website spoofing the targeted organizations to distribute the ISO. The campaign really ramped up in May, when the group began to leverage Constant Contact to target around 3,000 individual accounts across more than 150 organizations, researchers said.

MSTIC recommended a number of mitigations against the campaign as well as indicators of compromise to help an organization identify if it is being targeted or if its systems are potentially infected.

News URL

https://threatpost.com/solarwinds-nobelium-phishing-attack-usaid/166531/