Security News > 2021 > June > US Seizes Domains Used by SolarWinds Hackers in Cyber Espionage Attacks

Secureworks, and Volexity shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice Tuesday said it intervened to take control of two command-and-control and malware distribution domains used in the campaign.
Com - were used to communicate and control a Cobalt Strike beacon called NativeZone that the actors implanted on the victim networks.
The wide-scale campaign, which was detected on May 25, leveraged a compromised USAID account at a mass email marketing company called Constant Contact to send phishing emails to approximately 3,000 email accounts at more than 150 different organizations.
Com was used to gain an initial foothold into the victim machine, exploiting it to retrieve the Cobalt Strike backdoor to maintain persistent presence and potentially deliver additional payloads.
The company has since identified three more unique pieces of malware used in the infection chain, namely BoomBox, EnvyScout, and VaporRage, adding to the attackers' growing arsenal of hacking tools such as Sunburst, Sunspot, Raindrop, Teardrop, GoldMax, GoldFinder, Sibot, and Flipflop, once again demonstrating Nobelium's operational security priorities when targeting potentially high-risk and high-visibility environments.
While BoomBox is a downloader to obtain a later-stage payload from an actor-controlled Dropbox account, VaporRage is a shellcode loader used to download, decode, and execute an arbitrary payload fully in-memory.
News URL
Related news
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- US cranks up espionage charges against ex-Googler accused of trade secrets heist (source)
- Spain arrests suspected hacker of US and Spanish military agencies (source)
- Suspected NATO, UN, US Army hacker arrested in Spain (source)
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)