Microsoft’s Threat Intelligence Centre (MSTIC) says it has uncovered a new spearphishing campaign by the Russian hacking group believed to be behind the devastating SolarWinds supply chain attacks, targeting a large number of organisations in scores of countries.
The spearphishing attacks by Nobelium which is also known as UNC2452, Dark Halo, and Solorigate, targeted government agencies involved with foreign policy, and international development organisations.
Around 3000 email accounts used by over 150 organisations in 24 countries were targeted by the hackers, MSTIC said.
MSTIC first observed the attacks in January this year, and they’ve been ongoing since then.
The email contained a malicious hyper text markup language (HTML) attachment that would execute JavaScript code.
That code writes an ISO disc image file to a computer’s storage, with the target being encourage to open it.
Once the user had been tricked into clicking on the ISO image which would mount it, an .LNK shortcut executed an included dynamic link library (DLL) file, which in turn runs an instance of the Cobalt Strike Beacon command and controle module.
Another variant of Nobelium’s phishing payload contained a Rich Text Format (RTF) document in which Cobalt Strike Beacon had been encoded.
Apple iOS users were targeted by a special server controlled by Nobelium, which tried to deliver a universal cross scripting zero-day exploit to users’ devices.
The iOS vulnerability was patched by Apple in March.
This month, Nobelium sent forged emails, purporting to come from the United States Agency for International Development (USAID), with links that redirected to servers controlled by the hackers and which attempted to deliver malware.
The malware included a custom Cobalt Strike Beacon that MSTIC named NativeZone which can act as a backdoor, and infection vector for other computers on the same network as the target.
Microsoft said the purpose of the attacks were intelligence gathering.
