Microsoft uncovered the SolarWinds crooks using mass-mail service Constant Contact and posing as a U.S.-based development organization to deliver malicious URLs to more than 150 organizations.
The cybercriminal group behind the notorious SolarWinds attack is at it again with a sophisticated mass email campaign aimed at delivering malicious URLs with payloads enabling network persistence so the actors can conduct further nefarious activities.
Microsoft Threat Intelligence Center (MSTIC) began tracking this latest campaign of Nobelium (previously known as Solarigate) in late January when it was in the reconnaissance stage, and observed as it “evolved over a series of waves demonstrating significant experimentation,” according to a blog post by the Microsoft 365 Defender Threat Intelligence Team.
On Tuesday, researchers observed an escalation in the effort as the threat group began masquerading as a U.S.-based development organization to distribute emails – including the malicious URLs – using a legitimate mass-emailing service, Constant Contact, they said. The threat actors targeted a wide variety of organizations and industry verticals.
In addition to the widely disruptive SolarWinds incident, Nobelium is also the group behind the Sunburst backdoor, Teardrop malware and GoldMax malware. The group historically has targeted a wide range of organizations, including government institutions, NGOs, think tanks, the military, IT service providers, health technology and research companies and groups, and telecommunications providers.
The targets in the latest attack, which is ongoing, are 3,000 individual accounts across more than 150 organizations, “employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time,” researchers observed.
During the SolarWinds attack, Nobelium infected targets by pushing out the custom Sunburst backdoor via trojanized product updates to nearly 18,000 organizations around the globe. In this way, the attack, which started in March 2020, remained undetected until December, giving the attackers time to pick and choose which organizations to further penetrate and resulting in a sprawling cyberespionage campaign that significantly affected the U.S. government and tech companies, among others.
There are a number of key differences between that attack and this latest campaign, which researchers attributed to “changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” they said.
MSTIC observed Nobelium changing tactics several times over the course of its latest campaign. After initial reconnaissance, the group mounted a series of spear-phishing campaigns from February through April with a similar intent: to compromise systems through an HTML file attached to the email.
Throughout those months, the group experimented with alterations to both the email and the HTML document and the way it infected victims’ machines, researchers observed.
Further iterations through April saw Nobelium experimenting with removing the ISO from Firebase and instead encoding it within the HTML document; redirecting the HTML document to an ISO that contained an RTF document that had the malicious Cobalt Strike Beacon DLL encoded within it; and sending phishing emails with no accompanying HTML and instead using a URL linking to an independent website spoofing the targeted organizations to distribute the ISO.
The campaign really ramped up in May, when the group began to leverage Constant Contact to target around 3,000 individual accounts across more than 150 organizations, researchers said.
“Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam,” researchers noted. “However, automated systems might have successfully delivered some of the earlier emails to recipients.”
Use of Mass Email Service
It was during this phase of the attack that Nobelium began impersonating an organization called the U.S. Agency for International Development, or USAID, and using an authentic sender email address that matches the standard Constant Contact service, researchers noted. The address varied for each recipient and ended in <@in.constantcontact.com> with a Reply-To address of <>;.
The emails claimed to be an alert from USAID about new documents published by former President Donald Trump about “election fraud,” which Trump claimed occurred in the 2020 election that he lost to President Joe Biden.
If a user clicked the link on the email, the URL would direct them to the legitimate Constant Contact service and then redirected to Nobelium-controlled infrastructure through a URL that delivers a malicious ISO file, according to researchers.
“The end result when detonating the LNK file is the execution of ‘C:\Windows\system32\rundll32.exe Documents.dll,Open'”, researchers observed. “The successful deployment of these payloads enables Nobelium to achieve persistent access to compromised systems.”
This persistence, in turn, enables the group to execute further malicious objectives, such as lateral movement, data exfiltration and delivery of additional malware, they added.
MSTIC recommended a number of mitigations against the campaign as well as indicators of compromise to help an organization identify if it is being targeted or if its systems are potentially infected.