Published: June 2, 2021

Netsurion’s Security Operations Center (SOC) has seen significant escalation of an email-based attack campaign by threat actor, NOBELIUM, and is issuing this security advisory to inform our customers and partners with additional information and recommended prevention and detection measures.

Background

The Microsoft Threat Intelligence Center (MSTIC) has released information on the uncovering of a widespread malicious email campaign undertaken by the activity group that Microsoft tracks as NOBELIUM. NOBELIUM is also known as Cozy Bear, the Dukes, in addition to other aliases. It is also classified by the United States Federal Government as advanced persistent threat APT29. NOBELIUM was initially identified in November 2020, during an intrusion at a major cybersecurity organization. Microsoft security researchers identify NOBELIUM as the actor responsible for the 2020 compromise of the SolarWinds Orion platform, and subsequent activity targeting other Microsoft customer networks and cloud assets.

In addition, on May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID).

Description

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoorTEARDROP malwareGoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.

Determined Impact

Malware NativeZone gets distributed, and this backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.

Why it is Critical?

The bad actor will be able to distribute phishing emails that look authentic but include a link that, when clicked, successfully deploys the malware, NativeZone, and enables NOBELIUM to achieve persistent access to compromised machines.

How the Attack Works

If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern: https://r20.rs6[.]net/tn.jsp?f=

The user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:
https://usaid.theyardservice[.]com/d/<target_email_address>

A malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in the %USER%\AppData\Local\Temp\<random folder name>\ path:

  • A shortcut, such as Reports.lnk, that executes a custom Cobalt Strike Beacon loader
  • A decoy document, such as ica-declass.pdf, that is displayed to the target
  • A DLL, such as Document.dll, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft.

Prevention with Netsurion’s EventTracker Endpoint Security

EventTracker Endpoint Security detects and prevents the execution of this attack.

Attack sequence

  1. EnvyScout – an html attachment which saves an obfuscated ISO file to the disk.
    Once the user clicks on the ISO file, it will create an LNK file together with:
    • A file named BOOM.exe
    • Directory named NV with a decoy pdf file
  2. Once the LNK file is clicked it will execute BOOM.exe and will trigger the first stage of the attack called BoomBox.
    With Netsurion’s EventTracker Endpoint Security agent installed at this point the attack will be prevented statically.
    The next stages of the attack (in case the BoomBox was not prevented) are:
    • NativeZone, a malicious loader
    • VaporRage, a malicious downloader
    • A customized Cobalt Strike

The payloads from these 3 components, as described in the Microsoft blog above, are detected by the EventTracker Endpoint Security agent.

Prevention with Microsoft Defender

Microsoft Defender Antivirus

Detects the new NOBELIUM components as the following malware:

  • TrojanDropper:JS/EnvyScout.A!dha
  • TrojanDownloader:Win32/BoomBox.A!dha
  • Trojan:Win32/NativeZone.A!dha
  • Trojan:Win32/NativeZone.B!dha
  • Trojan:Win32/NativeZone.C!dha
  • Trojan:Win32/NativeZone.D!dha
  • TrojanDownloader:Win32/VaporRage.A!dha

Microsoft Defender for Endpoint (EDR)

Alerts with the following titles in the Security Center can indicate threat activity on your network:

  • Malicious ISO File used by NOBELIUM
  • Cobalt Strike Beacon used by NOBELIUM
  • Cobalt Strike network infrastructure used by NOBELIUM
  • EnvyScout malware
  • BoomBox malware
  • NativeZone malware
  • VaporRage malware
  • The following alerts might also indicate threat activity associated with this threat, but they can also be triggered by unrelated threat activity:
    • An uncommon file was created and added to startup folder
    • A link file (LNK) with unusual characteristics was opened

Recommended Actions

Apply these mitigations to reduce the impact of this threat.

  • Deploy or enable Netsurion’s EventTracker Endpoint Security to all endpoints.
  • If using Microsoft Defender at endpoints, then
    • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
    • Run Defender in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  • Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use password less solutions like Microsoft Authenticator to secure your accounts.
  • For Office 365 users, see multifactor authentication support.
  • For Consumer and Personal email accounts, see how to use two-step verification.
  • Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes. NOTE: Assess rule impact before deployment.

EventTracker Detection Mechanisms

EventTracker Priority 1 (P1) Alerts

  • EventTracker: Bad Hash Detected will be triggered when a known exploit tool/executable file with VirusTotal reputation score of 5 and above.
  • EventTracker EDR: Unsafe Process Found will be triggered when an unsafe process is found with a bad hash value.
  • EventTracker EDR: New product or signer is detected will be triggered when a new product or signer is detected during the first time launch of malicious tools.
  • EventTracker: A process has been terminated by EventTracker will be triggered when an identified bad Hash component launch is stopped by the EventTracker agent based on the unsafe list.
  • EventTracker: New Windows Network Process Activity will be triggered when a new Windows process connects to an IP address.
  • EventTracker: A process connected to an unsafe IP will be triggered when a connection is observed to unsafe IP addresses which are known to be involved in Command-and-Control (C2) server.  
  • EventTracker Behavior based Unknown Process Dashboard will help the analysts in looking at all newly launched process and take a deep dive, this will help the analyst to catch bad processes in time and report it as applicable.

All the above detection mechanisms will ensure that NOBELIUM variants are detected and reported in real time.

Indicators of Compromise

  • The EventTracker Threat Center has been updated with Identified Bad MD5 Hash Values and IP addresses to detect the IP address communication and terminate process launches based on the unsafe list.
INDICATOR TYPE DESCRIPTION
ashainfo@usaid.gov Email Spoofed email account
mhillary@usaid.gov Email Spoofed email account
cbc1dc536cd6f4fb9648e229e5d23361 MD5 Malicious ISO file (container)
ebe2f8df39b4a94fb408580a728d351f MD5 Malicious ISO file (container)
29e2ef8ef5c6ff95e98bff095e63dc05 MD5 Malicious ISO file (container)
dcfd60883c73c3d92fceb6ac910d5b80 MD5 Malicious shortcut (LNK)
7edf943ed251fa480c5ca5abb2446c75 MD5 Cobalt Strike Beacon malware
1c3b8ae594cb4ce24c2680b47cebf808 MD5 Cobalt Strike Beacon malware
usaid.theyardservice[.]com Domain Subdomain used to distribute ISO file
worldhomeoutlet[.]com Domain Subdomain in Cobalt Strike C2
dataplane.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
cdn.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
static.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
192[.]99[.]221[.]77 IP address IP resolved to by worldhomeoutlet[.]com
83[.]171[.]237[.]173 IP address IP resolved to by *theyardservice[.]com
theyardservice[.]com Domain Actor controlled domain

References