Security News > 2021 > June > US Seizes Domains Used by SolarWinds Hackers in Cyber Espionage Attacks

Secureworks, and Volexity shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice Tuesday said it intervened to take control of two command-and-control and malware distribution domains used in the campaign.

Com - were used to communicate and control a Cobalt Strike beacon called NativeZone that the actors implanted on the victim networks.

The wide-scale campaign, which was detected on May 25, leveraged a compromised USAID account at a mass email marketing company called Constant Contact to send phishing emails to approximately 3,000 email accounts at more than 150 different organizations.

Com was used to gain an initial foothold into the victim machine, exploiting it to retrieve the Cobalt Strike backdoor to maintain persistent presence and potentially deliver additional payloads.

The company has since identified three more unique pieces of malware used in the infection chain, namely BoomBox, EnvyScout, and VaporRage, adding to the attackers' growing arsenal of hacking tools such as Sunburst, Sunspot, Raindrop, Teardrop, GoldMax, GoldFinder, Sibot, and Flipflop, once again demonstrating Nobelium's operational security priorities when targeting potentially high-risk and high-visibility environments.

While BoomBox is a downloader to obtain a later-stage payload from an actor-controlled Dropbox account, VaporRage is a shellcode loader used to download, decode, and execute an arbitrary payload fully in-memory.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/QOTlxn4gFa8/us-seizes-domains-used-by-solarwinds.html