Microsoft warns about phishing attack by Nobelium group spoofing USAID

Microsoft has issued a warning that a Russian-backed hacking outfit known as Nobelium is currently executing a phishing attack and has managed to access the US Agency for International Development’s account (USAID).


Around 3,000 accounts at over 150 different institutions associated to government agencies, consultants, and non-governmental organizations were targeted by the phishing attempt.


The attack targeted government agencies in 24 nations, but the majority of the fraudulent emails were sent to the United States.


Nobelium carried out the attacks by gaining access to USAID’s Constant Contact account, according to Microsoft corporate vice president of customer security and trust Tom Burt.


The threat actors then sent out phishing emails with a link that, when clicked, included a malicious file that distributed the NativeZone backdoor. This backdoor could be used for anything from data theft to infecting other computers on a network.


Many of the emails were intercepted, and he believes the attacks were not caused by a flaw in Microsoft products.


Nobelium changed its technique to getting its malicious code onto victim PCs after the campaign was identified in February.


In one case, a Nobelium-controlled server served up a WebKit universal cross-site scripting vulnerability if it recognized an Apple iOS device.


There were multiple variations in the most recent campaign.


The emails appear to come from USAID in one case, but the sender email address matches that of the basic Constant Contact service.



 United States government,Russia,SolarWinds,Microsoft,Cybersecurity,Technology, nobelium, nobelium threat actor, nobelium hackers, microsoft solarwinds, microsoft iocs, Computer Security, computers, cyber news, cyber security news, cyber security news today, cyber security updates, cyber updates, cyberattack, cyberattacks, cybercrime, cybercriminals, cybersafe news, cybersecurity, dark web, data breach, Data leak, data stealing malware, DDoS, Distributed Denial of Service, hacker news, Hacks, Infected Installer, information security, InfoSec, infosec news, linux, Mac, Malicious ad campaign, Malvertising, Malware, malware removal, Mobile Security, network security, online security, personal data exposed, Privacy, ransomware, ransomware attack, ransomware gang, ransomware group, ransomware malware, ransomware news, RCE, Remote Access Trojan, Remote Code Execution, remote desktop app, remote desktop app virus, remote desktop malware, rootkit, Security, smartphone, software vulnerability, spyware, Supply Chain, support, system update app, system update malware app, tech, tech news, tech support, tech updates, technical support, trojan, virus, virus removal, Vulnerabilities, Vulnerability, Web Security, what is ransomware, nobelium hackers, nobelium Russia, nobelium attack, nobelium group, USAID
Source: Microsoft



This address (which varies for each recipient) ends in … and a Reply-To address of was observed.


Microsoft will continue to collaborate with willing governments and the private sector to promote the cause of digital peace, according to Burt.


Nobelium is most known for the SolarWinds supply chain attack, which saw a backdoor installed in hundreds of organizations before compromising and stealing information from nine US federal agencies and roughly 100 US firms.


Microsoft has published information of four new malware families used by Nobelium in the attacks in a new blog post.


An HTML attachment called ‘EnvyScout,’ a downloader called ‘BoomBox,’ a loader called ‘NativeZone,’ and a shellcode downloader and launcher called ‘VaporRage’ are among the four new families.


Also read: FBI will share compromised passwords with Have I Been Pwned


You might also like: Malvertised Fake AnyDesk: Trojanized AnyDesk found on Google Ads


You might also like: Forget DARK WEB. Telegram is the new marketplace for illegal activities and cybercrime


You might also like: Microsoft warns of data stealing malware (StrRAT Fake-Ransomware RAT)