In the latest Microsoft research, it has been reported that following the USAID email account hacking incident, nation-backed Russian threat group Nobelium is now perpetrating a phishing campaign.
Malicious Nobelium Threat Group:
The United States Agency for International Development is an independent agency of the United States federal government that is primarily responsible for administering civilian foreign aid and development assistance.
In the previous week, the hacking incident on USAID’s Constant Contact email account made major news headlines.
After gaining access to the agency’s Constant Coatack email account, the Nobelium threat actors had deployed phishing emails that appeared to be legitimate USAID emails but contained a malicious link that when clicked, distributed a backdoor dubbed NativeXone.
The phishing campaign of Nobelium has targeted around 3,000 accounts linked to government agencies, think tanks, consultants, and non-governmental organizations, Microsoft said. The US had received most of the malicious emails, but it had reached 24 countries at a minimum.
Mal-operations of the threat group:
Reportedly, the backdoor had the malicious abilities to be able to steal data from compromised systems on a network.
The email phishing campaign was reportedly detected back in February which led to the Microsoft Threat Intelligence Center (MTIC) observing the modifying mal-operations of Nobelium.
In one instance, if a Nobelium-controlled server detected an Apple iOS device, it served up a WebKit universal cross-site scripting vulnerability. Apple said on Wednesday it was aware of the vulnerability being actively exploited.
The attack vector is initiated once the malicious link in the email has been clicked. Once clicked, a malicious ISO containing phony documents are delivered to the victim system. A shortcut and a malicious DLL with a Cobalt Strike Beacon loader that Microsoft has named NativeZone are also delivered via the link.
“The successful deployment of these payloads enables Nobelium to achieve persistent access to compromised machines,” noted MTIC.
This enables Nobelium to deploy its mal-operations that include lateral movement, data exfiltration, and delivery of additional malware.
Microsoft also noted that the Cobalt Strike Beacons employ port 443 to command and control infrastructure and gave a director of the compromise list in its post.
Nobelium threat group has been previously made headlines to be the perpetrators behind the massive SolarWinds Attacks.