The SolarWinds Threat Actor Returns with a New Phishing Campaign

Threat Alert
David Bisson | Tue, 06/15/2021 - 10:12
A screenshot of the fake USAID email. (Source: 秋葵视频色 | AppRiver)

The threat actor responsible for the SolarWinds supply chain attack is making headlines once again with a new email phishing operation.

How Far ATO Can Carry a Malicious Actor

On May 27, (MSTIC) revealed it had uncovered a new wave of a spear-phishing email campaign that it had begun tracking in late-January.

This phase leveraged Constant Contact, a legitimate mass email service, to target 3,000 individuals at over 150 organizations.

Microsoft鈥檚 researchers analyzed several instances of the attack. One of the iterations appeared to use 鈥淎SHAinfo@usaid.gov,鈥 an email address employed by the (ASHA) at the U.S. Agency for International Development (USAID).

The email masqueraded as a message from USAID warning of election fraud. In support of this disguise, the message used the subject line 鈥淯SAID Special Alert!鈥

It also came with an authentic sender email address that matched Constant Contact.

After a recipient clicked on the 鈥淰iew documents鈥 button, the campaign directed the recipient to the legitimate Constant Contact service.

The operation then redirected the recipient to infrastructure controlled by NOBELIUM, the malicious actors responsible for the SolarWinds supply chain attack.

This infrastructure subsequently infected the recipient鈥檚 system with a malicious ISO file. The file displayed a decoy document to the target to convince them that nothing was wrong.

In the background, however, the ISO file used a shortcut to run a custom Cobalt Strike Beacon loader dubbed 鈥淣ativeZone.鈥 Doing so enabled the NOBELIUM to achieve persistence on a compromised system so that they could move laterally, exfiltrate sensitive information and/or deliver additional malware payloads onto a victim鈥檚 compromised asset.

A spokesperson for USAID later confirmed that the Agency was 鈥渁ware of potentially malicious email activity from a compromised Constant Contact email marketing account.鈥 It went on to say that a forensic investigation into the attack was ongoing at USAID, as quoted by .

Defending Against NOBELIUM鈥檚 Latest Attack

The team at 秋葵视频色 | AppRiver quarantined several of the campaign鈥檚 attack emails disguised as official USAID correspondence.

Those messages all used official USAID branding to lull recipients into a false sense of security.

A screenshot of the fake USAID email. (Source: 秋葵视频色 | AppRiver)
A screenshot of the fake USAID email. (Source: 秋葵视频色 | AppRiver)

Acknowledging those techniques, Microsoft noted that organizations could protect themselves by enabling cloud-delivered protection and EDR in block mode for Microsoft Defender. It also warned organizations to be on the lookout for alerts regarding the creation of uncommon files and/or the opening of link files with unusual characteristics.

Troy Gill, manager of security research and senior security analyst for 秋葵视频色 | AppRiver, explained that organizations need to do more, as well.