The United States has seized two command-and-control (C2) and malware distribution domains used in a recently disclosed spearphishing campaign that impersonated email communications from the US Agency for International Development (USAID), the Department of Justice reports.
Microsoft and Volexity disclosed the attack late last week. This operation has been attributed to a group Microsoft calls Nobelium, the Russian group behind the SolarWinds supply chain attack. It has been operating and evolving this emailed campaign since early 2021, Microsoft reports. The ongoing attack has targeted approximately 350 organizations across industries, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) confirmed in a May 28 statement.
Attackers gained access to USAID's account for Constant Contact, a legitimate platform used for email marketing. Their access allowed them to send seemingly authentic emails from USAID containing a "special alert" to thousands of target accounts and hide malicious links behind the mailing service's URL.
Victims who clicked this link were prompted to download malware from a subdomain of theyardservice[.]com, the DoJ reports. With this foothold, attackers downloaded a Cobalt Strike tool to remain persistent and possibly deploy additional tools or malware to a target network.
Officials note the attackers' instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com and the domain worldhomeoutlet[.]com. These two domains were seized following the court-ordered seizure.
The court-authorized seizure of these two domains was intended to disrupt attackers' follow-on exploitation of victims and identify compromised machines, offi ..
Support the originator by clicking the read the rest link below.
