Microsoft has issued a warning that a Russian-backed hacking outfit known as Nobelium is currently executing a phishing attack and has managed to access the US Agency for International Development’s account (USAID).
Around 3,000 accounts at over 150 different institutions associated to government agencies, consultants, and non-governmental organizations were targeted by the phishing attempt.
The attack targeted government agencies in 24 nations, but the majority of the fraudulent emails were sent to the United States.
Nobelium carried out the attacks by gaining access to USAID’s Constant Contact account, according to Microsoft corporate vice president of customer security and trust Tom Burt.
The threat actors then sent out phishing emails with a link that, when clicked, included a malicious file that distributed the NativeZone backdoor. This backdoor could be used for anything from data theft to infecting other computers on a network.
Many of the emails were intercepted, and he believes the attacks were not caused by a flaw in Microsoft products.
Nobelium changed its technique to getting its malicious code onto victim PCs after the campaign was identified in February.
In one case, a Nobelium-controlled server served up a WebKit universal cross-site scripting vulnerability if it recognized an Apple iOS device.
There were multiple variations in the most recent campaign.
The emails appear to come from USAID in one case, but the sender email address matches that of the basic Constant Contact service.
This address (which varies for each recipient) ends in @in.constantcontact.com … and a Reply-To address of was observed.
Microsoft will continue to collaborate with willing governments and the private sector to promote the cause of digital peace, according to Burt.
Nobelium is most known for the SolarWinds supply chain attack, which saw a backdoor installed in hundreds of organizations before compromising and stealing information from nine US federal agencies and roughly 100 US firms.
Microsoft has published information of four new malware families used by Nobelium in the attacks in a new blog post.
An HTML attachment called ‘EnvyScout,’ a downloader called ‘BoomBox,’ a loader called ‘NativeZone,’ and a shellcode downloader and launcher called ‘VaporRage’ are among the four new families.
You might also like: Malvertised Fake AnyDesk: Trojanized AnyDesk found on Google Ads
You might also like: Microsoft warns of data stealing malware (StrRAT Fake-Ransomware RAT)