NOBELIUM Cyberattack : New sophisticated email-based attack

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.

NOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

Maintaining persistence is critical for any threat actor after gaining access to a network. In addition to the backdoor in the SolarWinds software, NOBELIUM has been observed using stolen credentials to access cloud services like email and storage, as well as compromised identities to gain and maintain access to networks via virtual private networks (VPNs) and remote access tools. Microsoft assesses that the newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise, even evading initial detection during incident response.

Due to the fast-moving nature of this campaign and its perceived scope, We encourages organizations to investigate and monitor communications matching characteristics described in this article.

Indicators of compromise (IOC)

This attack is still active, so these indicators should not be considered exhaustive for this observed activity. These indicators of compromise are from the large-scale campaign launched on May 25, 2021.

ashainfo@usaid.gov
mhillary@usaid.gov
2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252
d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142
94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916
48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0
ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c
ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330
usaid.theyardservice[.]com
worldhomeoutlet[.]com
dataplane.theyardservice[.]com
cdn.theyardservice[.]com
static.theyardservice[.]com
192[.]99[.]221[.]77
83[.]171[.]237[.]173
theyardservice[.]com

References:
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/