Morphisec cybersecurity experts: The malware, written in .NET, is delivered through MSI installer and thwarts online AV scanners.
Microsoft: NOBELIUM now leverages legitimate mass-mailing service to distribute malicious urls. The state-sponsored group attempted to target approximately 3,000 individual accounts across more than 150 organizations
NOBELIUM has launched a new wave of cyber attacks against wide variety of organizations and industry verticals, leveraging the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs. It has been discovered by Microsoft cybersecurity experts. The state-sponsored cyber espionage group with this latest attack attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.
Constant Contact is the new “weapon”
This new wide-scale email campaign leverages Constant Contact to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.