Published: June 2, 2021
Netsurion’s Security Operations Center (SOC) has seen significant escalation of an email-based attack campaign by threat actor, NOBELIUM, and is issuing this security advisory to inform our customers and partners with additional information and recommended prevention and detection measures.
Background
The Microsoft Threat Intelligence Center (MSTIC) has released information on the uncovering of a widespread malicious email campaign undertaken by the activity group that Microsoft tracks as NOBELIUM. NOBELIUM is also known as Cozy Bear, the Dukes, in addition to other aliases. It is also classified by the United States Federal Government as advanced persistent threat APT29. NOBELIUM was initially identified in November 2020, during an intrusion at a major cybersecurity organization. Microsoft security researchers identify NOBELIUM as the actor responsible for the 2020 compromise of the SolarWinds Orion platform, and subsequent activity targeting other Microsoft customer networks and cloud assets.
In addition, on May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID).
Description
Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.
Determined Impact
Malware NativeZone gets distributed, and this backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.
Why it is Critical?
The bad actor will be able to distribute phishing emails that look authentic but include a link that, when clicked, successfully deploys the malware, NativeZone, and enables NOBELIUM to achieve persistent access to compromised machines.
How the Attack Works
If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern: https://r20.rs6[.]net/tn.jsp?f=
The user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:
https://usaid.theyardservice[.]com/d/<target_email_address>
A malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in the %USER%\AppData\Local\Temp\<random folder name>\ path:
- A shortcut, such as Reports.lnk, that executes a custom Cobalt Strike Beacon loader
- A decoy document, such as ica-declass.pdf, that is displayed to the target
- A DLL, such as Document.dll, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft.
Prevention with Netsurion Endpoint Security
Netsurion Endpoint Security detects and prevents the execution of this attack.
Attack sequence
- EnvyScout – an html attachment which saves an obfuscated ISO file to the disk.
Once the user clicks on the ISO file, it will create an LNK file together with:- A file named BOOM.exe
- Directory named NV with a decoy pdf file
- Once the LNK file is clicked it will execute BOOM.exe and will trigger the first stage of the attack called BoomBox.
With Netsurion Endpoint Security agent installed at this point the attack will be prevented statically.
The next stages of the attack (in case the BoomBox was not prevented) are:- NativeZone, a malicious loader
- VaporRage, a malicious downloader
- A customized Cobalt Strike
The payloads from these 3 components, as described in the Microsoft blog above, are detected by the Netsurion Endpoint Security agent.
Prevention with Microsoft Defender
Microsoft Defender Antivirus
Detects the new NOBELIUM components as the following malware:
- TrojanDropper:JS/EnvyScout.A!dha
- TrojanDownloader:Win32/BoomBox.A!dha
- Trojan:Win32/NativeZone.A!dha
- Trojan:Win32/NativeZone.B!dha
- Trojan:Win32/NativeZone.C!dha
- Trojan:Win32/NativeZone.D!dha
- TrojanDownloader:Win32/VaporRage.A!dha
Microsoft Defender for Endpoint (EDR)
Alerts with the following titles in the Security Center can indicate threat activity on your network:
- Malicious ISO File used by NOBELIUM
- Cobalt Strike Beacon used by NOBELIUM
- Cobalt Strike network infrastructure used by NOBELIUM
- EnvyScout malware
- BoomBox malware
- NativeZone malware
- VaporRage malware
- The following alerts might also indicate threat activity associated with this threat, but they can also be triggered by unrelated threat activity:
- An uncommon file was created and added to startup folder
- A link file (LNK) with unusual characteristics was opened
Recommended Actions
Apply these mitigations to reduce the impact of this threat.
- Deploy or enable Netsurion Endpoint Security to all endpoints.
- If using Microsoft Defender at endpoints, then
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Run Defender in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
- Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use password less solutions like Microsoft Authenticator to secure your accounts.
- For Office 365 users, see multifactor authentication support.
- For Consumer and Personal email accounts, see how to use two-step verification.
- Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes. NOTE: Assess rule impact before deployment.
Netsurion Detection Mechanisms
Netsurion Priority 1 (P1) Alerts
- Netsurion: Bad Hash Detected will be triggered when a known exploit tool/executable file with VirusTotal reputation score of 5 and above.
- Netsurion EDR: Unsafe Process Found will be triggered when an unsafe process is found with a bad hash value.
- Netsurion EDR: New product or signer is detected will be triggered when a new product or signer is detected during the first time launch of malicious tools.
- Netsurion: A process has been terminated by Netsurion will be triggered when an identified bad Hash component launch is stopped by the Netsurion agent based on the unsafe list.
- Netsurion: New Windows Network Process Activity will be triggered when a new Windows process connects to an IP address.
- Netsurion: A process connected to an unsafe IP will be triggered when a connection is observed to unsafe IP addresses which are known to be involved in Command-and-Control (C2) server.
- Netsurion Behavior based Unknown Process Dashboard will help the analysts in looking at all newly launched process and take a deep dive, this will help the analyst to catch bad processes in time and report it as applicable.
All the above detection mechanisms will ensure that NOBELIUM variants are detected and reported in real time.
Indicators of Compromise
- The Netsurion Threat Center has been updated with Identified Bad MD5 Hash Values and IP addresses to detect the IP address communication and terminate process launches based on the unsafe list.
| INDICATOR | TYPE | DESCRIPTION |
|---|---|---|
| [email protected] | Spoofed email account | |
| [email protected] | Spoofed email account | |
| cbc1dc536cd6f4fb9648e229e5d23361 | MD5 | Malicious ISO file (container) |
| ebe2f8df39b4a94fb408580a728d351f | MD5 | Malicious ISO file (container) |
| 29e2ef8ef5c6ff95e98bff095e63dc05 | MD5 | Malicious ISO file (container) |
| dcfd60883c73c3d92fceb6ac910d5b80 | MD5 | Malicious shortcut (LNK) |
| 7edf943ed251fa480c5ca5abb2446c75 | MD5 | Cobalt Strike Beacon malware |
| 1c3b8ae594cb4ce24c2680b47cebf808 | MD5 | Cobalt Strike Beacon malware |
| usaid.theyardservice[.]com | Domain | Subdomain used to distribute ISO file |
| worldhomeoutlet[.]com | Domain | Subdomain in Cobalt Strike C2 |
| dataplane.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| cdn.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| static.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 |
| 192[.]99[.]221[.]77 | IP address | IP resolved to by worldhomeoutlet[.]com |
| 83[.]171[.]237[.]173 | IP address | IP resolved to by *theyardservice[.]com |
| theyardservice[.]com | Domain | Actor controlled domain |
References
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/NativeZone.C!dha&threatId=-2147185566
- https://www.zdnet.com/article/microsoft-warns-of-current-nobelium-phishing-campaign-impersonating-usaid/
- https://us-cert.cisa.gov/ncas/current-activity/2021/05/27/microsoft-announces-new-campaign-nobelium