Microsoft details new sophisticated spear-phishing attacks from NOBELIUM

Pierluigi Paganini May 28, 2021

Microsoft experts uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind SolarWinds hack.

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign conducted by NOBELIUM APT.

The NOBELIUM APT is the threat actor that conducted supply chain attack against SolarWinds which involved multiple families of implants, including the SUNBURST backdoorTEARDROP malwareGoldMax malware, Sibot, and GoldFinder backdoors.

The campaign monitored by Microsoft was uncovered in January 2021 and evolved over time, the researchers observed a series of waves demonstrating significant experimentation. Starting from May 25, 2021, the experts observed a significant change in the campaign, the NOBELIUM group started leveraging the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and arrange a malspam campaign.

NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

The recent campaign was very noisy due to the high volume of emails sent out by the attackers in this campaign and automated email threat detection systems were able to detect and block most of the malicious emails.

However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.

The phishing campaign detected by MSTIC leveraged the Google Firebase platform to provide an ISO file containing the malicious code.

“MSTIC traced the start of this campaign to January 28, 2021, when the actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked. No delivery of a malicious payload was observed during this early activity.” reads the analysis published by Microsoft.


MSTIC also spotted the nation-state hackers experimenting with attacks that don’t leverage the ISO from Firebase, and instead encoding it within the HTML document.

“Similarly, the actor experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In one final example of experimentation, there was no accompanying HTML in the phishing email and instead a URL led to an independent website spoofing the targeted organizations, from where the ISO was distributed.” continues the report.

Experts also noticed that in some attacks threat actors did not use ISO payload and adopted additional profiling techniques. If the target is an Apple iOS device, the user was redirected to another server under NOBELIUM control, that attempts to trigger the CVE-2021-1879 flaw.

Since May 2021, the attackers started dropping a custom .NET first-stage implant, detected as TrojanDownloader:MSIL/BoomBox, that was used for reconnaissance purposes and to downloaded additional payloads

“On May 25, the NOBELIUM campaign escalated significantly. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam.” continues Microsoft.

Microsoft provided Indicators of compromise (IOCs) for the campaign that began on May 25, experts pointed out that the NOBELIUM group is intensifying its spear-phishing operations changing tactics to avoid detection.

The report also includes mitigations to reduce the impact of this campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Nobelium)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment