APT29 – otherwise known as NOBELIUM and Cozy Bear, or "the SolarWinds attackers" – have recently launched a global spear-phishing campaign against a variety of government-related organizations, as discovered by the security firm Volexity. In their campaign, the cyber group is distributing election fraud-themed phishing emails, attempting to infect victim networks with malware and exfiltrate critical data. Among their targets are NGOs, research institutions, and government agencies across the United States and Europe.
In order to gain access to sensitive internal networks, APT29 first successfully compromised a Constant Contact account used by the USAID government agency for email campaigns. Constant Contact is an email marketing software that can also be used to track click-throughs on links, thus allowing the attackers to track their campaign success after exploiting the account to send spear phishing emails. The emails pose as a special alert from USAID referencing fraud in the 2020 U.S. Federal Elections.
2020 Elections phishing email. Image: Volexity
Once a victim presses on one of the email links, they are prompted to download HTML attachments - including four new malware variants created by the APT: EnvyScout, BoomBox, NativeZone and VaporRage.
The HTML Attachment - EnvyScout
EnvyScout is a malicious HTML/JS file attachment used in spear-phishing emails that attempts to steal the NTLM credentials of Windows accounts and drop a malicious ISO on a victim's device.
The Downloader - BoomBox
An EXE (PE) file executed by the the ISO image, BoomBox is used to download two encrypted malware files to the infected device from DropBox. The BoomBox malware decrypts and saves the downloaded files, after which it gathers information about the Windows domain, encrypts the collected data, and sends it to the attackers' command and control servers (C2s).
The Loader - NativeZone
A malware dropped by BoomBox and configured to start automatically when a user logs into Windows. When running, it will launch a DLL (CertPKIProvider.dll) that Microsoft dubbs "VaporRage".
The shellcode Downloader and Launcher - VaporRage
Upon being launched, the malware will connect to a remote C2 server, register itself, and repeatedly attempt to connect until it downloads malicious shellcodes. Then, the malware will execute them to perform various malicious activities, including the deployment of Cobalt Strike beacons.
For more information regarding these malware variants, check out BleepingComputer's extensive report.
ThreatSTOP has been monitoring and blocking malicious activity in this campaign. The related Indicators of Compromise (IOCs) are live in our systems. We've seen thousands of communication attempts from our customer networks to these IOCs on a daily basis. In an operation conducted by the FBI, two C2 domains used in this campaign by APT29 were successfully taken over - theyardservice[.]com and worldhomeoutlet[.]com. Law enforcement agencies, including the FBI, will investigate these domains to gain a better understanding of these attackers' tactics and infrastructure use.
But until this gang is taken down, it is important that you protect your network from this and other targeted attacks. Block the malicious infrastructure in this campaign by blacklisting the IOCs below. If you are a ThreatSTOP customer, you're automatically protected.
Related Domains:
| theyardservice[.]com | stockmarketon[.]com | security-updater-default-rtdb[.]firebaseio[.]com |
| worldhomeoutlet[.]com | stsnews[.]com | cdnappservice[.]web[.]app |
| aimsecurity[.]net | tacomanewspaper[.]com | humanitarian-forum[.]web[.]app |
| cityloss[.]com | techiefly[.]com | logicworkservice[.]web[.]app |
| cross-checking[.]com | theadminforum[.]com | humanitarian-forum-default-rtdb[.]firebaseio[.]com |
| dailydews[.]com | trendignews[.]com | cdnappservice[.]firebaseio[.]com |
| doggroomingnews[.]com | refreshauthtoken-default-rtdb[.]firebaseio[.]com | 74d6b7b2[.]app[.]giftbox4u[.]com |
| emergencystreet[.]com | cdn[.]theyardservice[.]com | content[.]pcmsar[.]net |
| enpport[.]com | dataplane[.]theyardservice[.]com | email[.]theyardservice[.]com |
| financialmarket[.]org | static[.]theyardservice[.]com | smtp2[.]theyardservice[.]com |
| giftbox4u[.]com | usaid[.]theyardservice[.]com | cdn[.]theyardservice[.]com |
| hanproud[.]com | eventbrite-com-default-rtdb[.]firebaseio[.]com | dataplane[.]theyardservice[.]com |
| newsplacec[.]com | supportcdn-default-rtdb[.]firebaseio[.]com | static[.]theyardservice[.]com |
| newstepsco[.]com | supportcdn[.]web[.]app | worldhomeoutlet[.]com |
| pcmsar[.]net | security-updater[.]web[.]app | usaid[.]theyardservice[.]com |
Related IPs:
| 192[.]99[.]221[.]77 |
| 83[.]171[.]237[.]173 |
| 139[.]99[.]167[.]177 |
| 185[.]158[.]250[.]239 |
| 195[.]206[.]181[.]169 |
| 37[.]120[.]247[.]135 |
| 45[.]135[.]167[.]27 |
| 51[.]254[.]241[.]158 |
| 51[.]38[.]85[.]225 |
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?