Nobelium Active Again With New Phishing Campaign

What has happened?

• The attacks were launched by gaining access to the Constant Contact account of USAID. From there, the actors were able to distribute phishing emails that were seemingly authentic.
• The phishing emails carried a link that inserted a malicious file, when clicked, distributing the NativeZone backdoor. This backdoor can perform a wide range of activities.
• In one instance, when a Nobelium-controlled server detected an Apple iOS device, it served a WebKit UXSS vulnerability. Apple confirmed that it was aware of the vulnerability being actively exploited.
• In the May 25 campaign, there were some variations used. In one case, the emails looked to have originated from USAID while a genuine sender email address matched the standard Constant Contact service.

Nobelium’s infection chain 

• The emails ended with @in[.]constantcontact[.]com and a Reply-To address of <mhillary@usaid[.]gov>.
• If the link inside the email is clicked, a malicious ISO is dropped with a shortcut, decoy document, and a malicious DLL, along with a Cobalt Strike Beacon loader tracked as NativeZone by Microsoft. 
• If the shortcut is executed, the DLL is run. The successful deployment of these payloads allows the group to achieve persistent access to targeted machines.
• Execution of these malicious payloads could allow the group to carry out action-on objectives, such as data exfiltration, lateral movement, and delivery of other malware.

Conclusion