Microsoft has warned about a phishing campaign launched by Nobelium, which is a Russian-affiliated group.
Around 3,000 accounts were targeted in a phishing campaign, among them targeted government agencies and non-governmental organizations. Most of them in the US, but the campaign had reached targets in at least 24 countries, Microsoft says.
The hackers gained access to the account of USAID’s email marketing platform Constant Contact:
“Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID,” Microsoft corporate vice president of customer security and trust Tom Burt said.
The actor then used phishing emails to distribute a malicious file that could allow them to infect a Windows system:
“From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Burt said.
Nobelium, which has been discovered by Microsoft since February, often changed its methods in order to get its malicious code onto victims’ computers, a post from the Microsoft Threat Intelligence Center (MTIC) said. In one instance, if an attacker’s server detected an Apple iOS device, it exploited a WebKit universal cross-site scripting vulnerability.
In one campaign, the emails appeared to come from USAID with the authentic sender email address that looked legitimate for Constant Contact:
“The emails appear to originate from USAID, while having an authentic sender email address that matches the standard Constant Contact service,” MTIC said. “This address (which varies for each recipient) ends in @in.constantcontact.com… and a Reply-To address of was observed.”
Once the link is clicked, an ISO is delivered containing a fake document and a malicious DLL with a Cobalt Strike Beacon loader that Microsoft has dubbed NativeZone. The DLL is then executed and Nobelium is deployed.
The payloads can allow Nobelium to gain persistent access to infected machines:
“The successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware,” MTIC said.
The Cobalt Strike Beacons use port 443 to call out to a command and control infrastructure.
Nobelium’s goal is to infect the email servers of trusted technology providers and then compromise organizations as was the case in the SolarWinds supply chain hack which saw a hacker plant a backdoor in thousands of organizations. This strategy could lead to more sophisticated espionage operations.
“This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organisations,” Burt said.
Burt called for rules to prevent nations from using cyberspace for political goals.