"Nobelium Phishing Campaign Poses as USAID"

The cybercriminal group behind the notorious SolarWinds attack is at it again with a sophisticated mass email campaign aimed at delivering malicious URLs with payloads enabling network persistence so the actors can conduct further nefarious activities.  Microsoft Threat Intelligence Center (MSTIC) began tracking this latest campaign of Nobelium (previously known as Solarigate) in late January when it was in the reconnaissance stage and observed as it evolved over a series of waves demonstrating significant experimentation.  The researchers have recently observed an escalation in the effort as the threat group began masquerading as a U.S.-based development organization to distribute emails, including the malicious URLs using a legitimate mass-emailing service, Constant Contact.  The threat actors targeted a wide variety of organizations and industry verticals.  The targets in the latest attack, which is ongoing, are 3,000 individual accounts across more than 150 organizations.  MSTIC observed Nobelium changing tactics several times throughout its latest campaign. After initial reconnaissance, the group mounted a series of spear-phishing campaigns from February through April with a similar intent to compromise systems through an HTML file attached to the email.  The group experimented with alterations to both the email and the HTML document throughout those months and how the malware infected victims’ machines, the researchers stated.  

Threatpost reports: "Nobelium Phishing Campaign Poses as USAID"