• Home
  • |
  • Blog
  • |
  • Microsoft Has Uncovered New Email Attacks From Nobelium Threat Actor
New Email Attacks from Nobelium

Microsoft has Uncovered New Email Attacks from Nobelium Threat Actor, the threat actor behind the SolarWinds attacks. The attacks were escalated on 25-May-2021 when Nobelium runs this campaign by impersonating the service offered by a legitimate email marketing service Constant Contact, a US-based organization, and distribute malicious emails to a wide variety of organizations. Let’s see what information Microsoft has revealed about the new email attacks from Nobelium. See the captured IOCs with

Who Are The Primary Targets Of This Mew Email Attack From Nobelium?

The report tells that the attack is spread across the globe targeting more than 150 organizations linked to think tanks, consultants, government, and non-governmental organizations. 

How Is The Nobelium Email Campaign Designed To Deliver The Malware?

  1. Threat Actor will send a phishing email to the target with an HTML file as an attachment.
  2. A JavaScript within the HTML file will write an ISO file to disc and attract the victim to open the ISO file. The ISO file is mounted much like an external or network drive.
  3. From here, a shortcut file (.lnk) Cobalt Strike Beacon DLL on the system.

Different Attack Vectors Of These New Email Attacks From Nobelium:

Nobelium has made several changes to the HTML file based on the type of the target. Microsoft has observed several experiments from Nobelium. One such was removing the ISO from Firebase and instead encoding it within the HTML document. In the second instance, Nobelium experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In the third example, Nobelium removed the HTML in the phishing email, and instead, a URL led to an independent website spoofing the targeted organizations from where the ISO was distributed. In some cases, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link.

Indicators Of Compromise (IOCs) Captured During The Analysis Of ‘Email Attacks From Nobelium’

IP Addresses:
192[.]99[.]221[.]77
83[.]171[.]237[.]173

Domain Names:
usaid.theyardservice[.]com
worldhomeoutlet[.]com
dataplane.theyardservice[.]com
cdn.theyardservice[.]com
static.theyardservice[.]com
theyardservice[.]com

Emails:
[email protected]
[email protected]

File Hashes:
2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252
d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142
94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916
48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0
ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c
ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330

New IOCs Captured As on 2nd June 2021

IP Address:
139[.]99[.]167[.]177
185[.]158[.]250[.]239
195[.]206[.]181[.]169
37[.]120[.]247[.]135
45[.]135[.]167[.]27
51[.]254[.]241[.]158
51[.]38[.]85[.]225

URLs:
74d6b7b2[.]app[.]giftbox4u[.]com
cdnappservice[.]firebaseio[.]com
cdnappservice[.]web[.]app
content[.]pcmsar[.]net
eventbrite-com-default-rtdb[.]firebaseio[.]com
humanitarian-forum[.]web[.]app
humanitarian-forum-default-rtdb[.]firebaseio[.]com
logicworkservice[.]web[.]app
security-updater[.]web[.]app
security-updater-default-rtdb[.]firebaseio[.]com
supportcdn[.]web[.]app
supportcdn-default-rtdb[.]firebaseio[.]com

Domains:
tacomanewspaper[.]com
techiefly[.]com
theadminforum[.]com
trendignews[.]com
stockmarketon[.]com
stsnews[.]com
newsplacec[.]com
newstepsco[.]com
pcmsar[.]net
financialmarket[.]org
theyardservice[.]com
hanproud[.]com
holescontracting[.]com
emergencystreet[.]com
enpport[.]com
aimsecurity[.]net
cityloss[.]com
cross-checking[.]com
dailydews[.]com
doggroomingnews[.]com
giftbox4u[.]com

How To Be Protected From The New Nobelium Email Campaign?

Follow these recommendations to reduce the impact of this threat:

  1. Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.
  2. Analyze Firewall and Internet proxy logs for the presence of given IOCs.
  3. Avoid handling files or URL links in emails, chats or shared folders from untrusted sources.
  4. Isolate the suspected systems from the network to stop spreading infections over the network.
  5. Keep Anti-malware solutions at endpoint and network level updated at all time.
  6. Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.
  7. Provide phishing awareness trainings to your employees/contractors.

Thanks for reading this article. Please read more such interesting articles here:

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.