The US Department of Justice reports that the US has seized two command and control (C2) and malware distribution domains used in recently disclosed spear phishing campaigns that pretended to be email communications from the United States Agency for International Development (USAID).
Microsoft and Volexity disclosed the attack late last week. This operation was attributed to an organization Microsoft called Nobelium, which was the Russian organization behind the SolarWinds supply chain attack. According to Microsoft, it has been operating and developing this email campaign since the beginning of 2021. The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security confirmed in a statement on May 28 that ongoing attacks are targeting approximately 350 organizations in various industries.
Attackers can access USAID’s Constant Contact account, which is a legitimate platform for email marketing. Their visit allowed them to send seemingly real emails from USAID to thousands of target accounts, which contained “special alerts” and hide malicious links behind the URL of the mail service.
The system prompts the victim who clicked on this link to download malware from the subdomain of theyardservice[.]com, US Department of Justice report. With this foothold, the attacker downloaded the Cobalt Strike tool to maintain persistence, and may deploy other tools or malware to the target network.
Officials pointed out that the attacker’s Cobalt Strike tool instance received C2 communications through other subdomains of theyardservice[.]com and domain worldhomeoutlet[.]com. These two domains were seized after the court ordered the seizure.
Officials wrote in a press release that the court authorized the confiscation of the two domains for the purpose of undermining the attacker’s subsequent use of the victim and identifying the infected machine. They pointed out that the attackers may have deployed “additional backdoor access” between the initial intrusion and the seizure last week.
Security researchers have been carefully studying the tools used in this campaign to learn more about how these attackers operate. The Microsoft Threat Intelligence Center (MSTIC) explained in a blog post that each of these tools is designed to increase flexibility and allow attackers to adapt to the operational challenges they may face. Its researchers have identified four tools in the Nobelium infection chain: EnvyScout, BoomBox, NativeZone, and VaporRage.
The researchers wrote: “Although its technical details are not unprecedented, Nobelium’s operational safety priorities may have affected the design of the tool set, which demonstrates more desirable features for participants operating in potentially high-risk and high-visibility environments .”
For Nobelium, these priorities include using trusted channels. For example, attackers rely on Boombox, a downloader used to obtain post-payloads from a Dropbox account they control. The researchers pointed out that all initial communications use the Dropbox API over HTTPS.
They also value opportunities for restraint. Like other tools used by this group, some variants of Boombox, VaporRage, and NativeZone perform some analysis of the target environment. The researchers say that this design seems reasonable. This design allows Nobelium to choose its targets and understand whether the implants can be spotted if they are deployed in an environment unfamiliar to the attacker.
Finally, the attacker values ambiguity. According to MSTIC, VaporRage is a “unique shellcode loader” and is regarded as the third stage payload, which can download, decode and execute arbitrary payloads completely in memory.
The researchers wrote: “This design and deployment model, which also includes the temporary storage of payloads on infected websites, hinders traditional artefacts and forensic investigations and allows unique payloads to go undiscovered.”
Of course, these are not the only tools that Nobelium relies on. Since December, security researchers across the industry have found that the organization uses more and more payload pools. These include Teardrop, Sunspot, Raindrop, FlipFlop, GoldMax, GoldFinder and Sibot malware.
Research on attacker tools is still ongoing. The SentinelLabs team (called the organization NobleBaron) discovered that one of the NativeZone downloaders was used as part of a “smart poisoning installer” for Ukrainian government security applications. As Juan Andrés Guerrero-Saade wrote in a blog post, the malicious DLL is designed to imitate the legitimate components of the encryption key of the Ukrainian Institute of Technology.
Kelly Sheridan is a full-time editor of Dark Reading. She focuses on cybersecurity news and analysis.She is a business technology journalist. She has previously reported on Microsoft for InformationWeek, and has reported on finance in insurance and technology… View full bio