On May 25, 2021, the campaign escalated as NOBELIUM, the same group behind the 2020 SolarWinds attacks, leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.
In the May 25 campaign, there were several iterations. In one example the emails appear to originate from USAID <firstname.lastname@example.org>, while having an authentic sender email address that matches the standard Constant Contact service. This address (which varies for each recipient) ends in @in.constantcontact.com, and (which varies for each recipient), and a Reply-To address of <email@example.com> was observed. The emails pose as an alert from USAID:
- If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service
- The user is then redirected to NOBELIUM-controlled infrastructure.
- A malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in the %USER%\AppData\Local\Temp\<random folder name>\ path:
- A shortcut, such as Reports.lnk, that executes a custom Cobalt Strike Beacon loader
- A decoy document, such as ica-declass.pdf, that is displayed to the target
- A DLL, such as Document.dll, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft
- The end result when detonating the LNK file is the execution of “C:\Windows\system32\rundll32.exe Documents.dll,Open”.
The successful deployment of these payloads enables NOBELIUM to achieve persistent access to compromised systems. Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.
The following steps should be taken to mitigate the potential for falling victim to these attacks:
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
- Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
- For Office 365 users, leverage Microsoft multifactor authentication support.
RSM offers several services relevant to this most recent attack including:
- Technical Security Testing (Phishing, IVA/EVA, Penetration testing, etc.)
- Digital Forensics and Incident Response (DFIR)
- Cyber Threat Intelligence (CTI)
Jason Pymento (Jason.Pymento@rsmus.com)