Microsoft announces new threat campaign from NOBELIUM
Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.
Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity. Below, we have outlined attacker motives, malicious behavior, and best practices to protect against this attack. You can also find more information on the Microsoft On The Issues blog.
NOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.
Microsoft security researchers assess that the NOBELIUM’s spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.
Further details on this is available at – https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
Indicators of compromise (IOC)
This attack is still active, so these indicators should not be considered exhaustive for this observed activity.
These indicators of compromise are from the large-scale campaign launched on May 25, 2021.
| INDICATOR | TYPE | DESCRIPTION |
| [email protected] | Spoofed email account | |
| [email protected] | Spoofed email account | |
| 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 | SHA-256 | Malicious ISO file (container) |
| d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 | SHA-256 | Malicious ISO file (container) |
| 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 | SHA-256 | Malicious ISO file (container) |
| 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 | SHA-256 | Malicious shortcut (LNK) |
| ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c | SHA-256 | Cobalt Strike Beacon malware |
| ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 | SHA-256 | Cobalt Strike Beacon malware |
| usaid.theyardservice[.]com | Domain | Subdomain used to distribute ISO file |
| worldhomeoutlet[.]com | Domain | Subdomain in Cobalt Strike C2 |
| dataplane.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| cdn.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| static.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| 192[.]99[.]221[.]77 | IP address | IP resolved to by worldhomeoutlet[.]com |
| 83[.]171[.]237[.]173 | IP address | IP resolved to by *theyardservice[.]com |
| theyardservice[.]com | Domain | Actor controlled domain |
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.