Getty Images

Microsoft: Active NOBELIUM Malware Actors' Spear-Phishing Campaign

The NOBELIUM malware actors, the group behind the SolarWinds compromise, have been rapidly evolving their tactics; Microsoft details an active spear-phishing campaign.

The malware threat actors behind the SolarWinds Orion compromise in 2020 are continuing to target Microsoft networks and cloud assets, according to Microsoft insights. NOBELIUM historically targets infrastructure entities, including the government, health IT, and research.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging all US entities to review the insights on the spear-phishing attacks and to apply the recommended mitigation measures.

In January, the Microsoft Threat Intelligence Center discovered a wide-scale email campaign, tied to the actors who launched the attack on SolarWinds. The group has also been observed using the SUNBURST backdoor, TEARDROP malware, and GoldMax malware, previously detailed by CISA.

The campaign has continued to evolve throughout the year, which appeared as though the actors were experimenting with their attack techniques. In fact, the researchers warned that the latest NOBELIUM methods significantly differ from the past campaigns, including the hack of SolarWinds.

The first wave of attacks leveraged Google Firebase, with hackers staging an ISO file that contained malicious content and using the platform to record profiles of the users that interacted with the malicious email.

“The actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked,” researchers explained. “No delivery of a malicious payload was observed during this early activity.”

“The actor sometimes employed checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment,” they added.

As the attackers honed their attack abilities, Microsoft observed the actors using malicious HTML files attached to spear-phishing emails, as well as encoding the payload within the HTML document and using Cobalt Strike.

In what researchers believe was the final experimentation stage, the hackers did not embed the HTML within the spear-phishing email but sent the user a URL that spoofed the targeted organization.

On May 25, researchers observed a new uptick in attacks, launched through the legitimate mass-emailing service Constant Contact. The emails contain malicious links obscured behind the service’s URL, a mechanism used to simplify file sharing and provide insights to legitimate email services.

The attackers are masquerading as a US-based development company and sending malicious URLS to a range of sectors.The attackers employ a unique infrastructure and tooling for each target, which improves their ability to hide on the network for longer periods of time.

The spear-phishing emails masqueraded as several different entities, including USAID. As the emails were sent from Constant Contact, the addresses ended with the legitimate “@in.constantcontact.com”.

“Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam,” researchers wrote.

“However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place,” they added.

At least 3,000 individual accounts tied to 150 US organizations have been targeted in the latest wave of attacks, so far.

Further, in some of these attacks, no malicious payload was deployed. Instead, the threat actors would profile the victims who clicked the URL and direct Apple iOS users to another hacker-controlled server.

Upon a successful exploit, the NOBELIUM hackers are able to achieve persistent access onto the compromised system, as well as lateral movement, data exfiltration, and the delivery of additional malware.

As the attacks have a high-rate of evolution, Microsoft urges all organizations to investigate their networks for indicators of compromise and monitor email communications for activities similar to those outlined in the report. The insights also include IOCs, which can support identification.

Among the recommendations, administrators are reminded to ensure the use of antivirus tools, particularly machine learning that are better suited to learning new and unknown variants. Endpoint security tools are also important for blocking malicious artifacts, along with network protection tools.

Lastly, the use of multi-factor authentication has been proven to block 99.9 percent of all automated attacks.

“The NOBELIUM’s spear-phishing operations are recurring and have increased in frequency and scope,” researchers warned. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.”

Next Steps

Dig Deeper on Cybersecurity strategies