Russian Hackers Use New Family of Malwares in USAID Phishing Attacks
Two internet domains employed in recent phishing attacks were seized by the US Department of Justice. The domains were designed to imitate US Agency for International Development (USAID) and were used for malware distribution and network intrusions.
According to a report, the domains seized were “theyardservice[.]com and worldhomeoutlet[.] com” and were engaged in the receiving exfiltrated data from the target’s machine and send malicious commands to be executed on the machines, subsequently allowing access to internal networks.
The attacks were reported by Microsoft in late May and it was disclosed that the group behind the attack went by NOBELIUM, a state-affiliated Russian hacking group believed to be working with the Russian Foreign Intelligence Service. The group is said to be containing multiple threat-actors going by the monikers of APT29, Cozy Bear, and The Dukes.
NOBELIUM made use of phishing attacks by
compromising a Contact account for USAID to be used in the email campaigns. As per the report, “the threat actors impersonated USAID in phishing emails sent to approximately 3,000 email accounts at more than 150 different organizations, including government agencies and human rights organizations.”
Victims who would receive the emails and click on the link given would download HTML attachments that would put four malwares in their machines.
“The four new families include an HTML attachment named EnvyScout, a downloader known as BoomBox, a loader known as NativeZone, and a shellcode downloader and launcher named VaporRage,” said Bleeping Computer in a report.
EnvyScout is used to steal NTLM credentials on Windows accounts and also leave a harmful ISO on target’s machine. BOOM.exe, or as it goes by the tracking name that Microsoft gave it – BoomBox – is employed to download couple of encrypted malware files on the victim’s device. BoomBox also drops and configures NativeZone to be started automatically upon user logon into Windows. And the last family of malware – VaporRage – connects to a command-andcontrol server to facilitate downloading of a shell code which upon execution assists in the deployment of Cobalt Strike beacons.
“Upon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network,” said the Department of Justice.
Microsoft also shared the indicators of compromise for the campaign which specify that a total of thirty-four domains were used during the attacks, of which two were confiscated by the FBI.
According to the report, it is believed that the hacking group also had involvement with the SolarWinds supply-chain attack which cost the American software company $3.5 million.
