Security News > 2021 > June > US Seizes Domains Used by SolarWinds Hackers in Cyber Espionage Attacks

Secureworks, and Volexity shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice Tuesday said it intervened to take control of two command-and-control and malware distribution domains used in the campaign.
Com - were used to communicate and control a Cobalt Strike beacon called NativeZone that the actors implanted on the victim networks.
The wide-scale campaign, which was detected on May 25, leveraged a compromised USAID account at a mass email marketing company called Constant Contact to send phishing emails to approximately 3,000 email accounts at more than 150 different organizations.
Com was used to gain an initial foothold into the victim machine, exploiting it to retrieve the Cobalt Strike backdoor to maintain persistent presence and potentially deliver additional payloads.
The company has since identified three more unique pieces of malware used in the infection chain, namely BoomBox, EnvyScout, and VaporRage, adding to the attackers' growing arsenal of hacking tools such as Sunburst, Sunspot, Raindrop, Teardrop, GoldMax, GoldFinder, Sibot, and Flipflop, once again demonstrating Nobelium's operational security priorities when targeting potentially high-risk and high-visibility environments.
While BoomBox is a downloader to obtain a later-stage payload from an actor-controlled Dropbox account, VaporRage is a shellcode loader used to download, decode, and execute an arbitrary payload fully in-memory.
News URL
Related news
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks (source)
- China-Linked MirrorFace Deploys ANEL and AsyncRAT in New Cyber Espionage Operation (source)