ThreatSTOP Blog

SolarWinds attackers targeted Government Agencies using theyardservice[.]com

Written by Ofir Ashman | June 25, 2021

APT29 – otherwise known as NOBELIUM and Cozy Bear, or "the SolarWinds attackers" – have recently launched a global spear-phishing campaign against a variety of government-related organizations, as discovered by the security firm Volexity. In their campaign, the cyber group is distributing election fraud-themed phishing emails, attempting to infect victim networks with malware and exfiltrate critical data. Among their targets are NGOs, research institutions, and government agencies across the United States and Europe.

In order to gain access to sensitive internal networks, APT29 first successfully compromised a Constant Contact account used by the USAID government agency for email campaigns. Constant Contact is an email marketing software that can also be used to track click-throughs on links, thus allowing the attackers to track their campaign success after exploiting the account to send spear phishing emails. The emails pose as a special alert from USAID referencing fraud in the 2020 U.S. Federal Elections.

 

2020 Elections phishing email. Image: Volexity

Once a victim presses on one of the email links, they are prompted to download HTML attachments - including four new malware variants created by the APT: EnvyScout, BoomBox, NativeZone and VaporRage.

The HTML Attachment - EnvyScout

EnvyScout is a malicious HTML/JS file attachment used in spear-phishing emails that attempts to steal the NTLM credentials of Windows accounts and drop a malicious ISO on a victim's device.

The Downloader - BoomBox

An EXE (PE) file executed by the the ISO image, BoomBox is used to download two encrypted malware files to the infected device from DropBox. The BoomBox malware decrypts and saves the downloaded files, after which it gathers information about the Windows domain, encrypts the collected data, and sends it to the attackers' command and control servers (C2s).

The Loader - NativeZone

A malware dropped by BoomBox and configured to start automatically when a user logs into Windows. When running, it will launch a DLL (CertPKIProvider.dll) that Microsoft dubbs "VaporRage".

The shellcode Downloader and Launcher - VaporRage

Upon being launched, the malware will connect to a remote C2 server, register itself, and repeatedly attempt to connect until it downloads malicious shellcodes. Then, the malware will execute them to perform various malicious activities, including the deployment of Cobalt Strike beacons.

For more information regarding these malware variants, check out BleepingComputer's extensive report.

 

ThreatSTOP has been monitoring and blocking malicious activity in this campaign. The related Indicators of Compromise (IOCs) are live in our systems. We've seen thousands of communication attempts from our customer networks to these IOCs on a daily basis. In an operation conducted by the FBI, two C2 domains used in this campaign by APT29 were successfully taken over - theyardservice[.]com and worldhomeoutlet[.]com. Law enforcement agencies, including the FBI, will investigate these domains to gain a better understanding of these attackers' tactics and infrastructure use. 

But until this gang is taken down, it is important that you protect your network from this and other targeted attacks. Block the malicious infrastructure in this campaign by blacklisting the IOCs below. If you are a ThreatSTOP customer, you're automatically protected. 

 

Related Domains:

theyardservice[.]com stockmarketon[.]com security-updater-default-rtdb[.]firebaseio[.]com
worldhomeoutlet[.]com stsnews[.]com cdnappservice[.]web[.]app
aimsecurity[.]net tacomanewspaper[.]com humanitarian-forum[.]web[.]app
cityloss[.]com techiefly[.]com logicworkservice[.]web[.]app
cross-checking[.]com theadminforum[.]com humanitarian-forum-default-rtdb[.]firebaseio[.]com
dailydews[.]com trendignews[.]com cdnappservice[.]firebaseio[.]com
doggroomingnews[.]com refreshauthtoken-default-rtdb[.]firebaseio[.]com 74d6b7b2[.]app[.]giftbox4u[.]com
emergencystreet[.]com cdn[.]theyardservice[.]com content[.]pcmsar[.]net
enpport[.]com dataplane[.]theyardservice[.]com email[.]theyardservice[.]com
financialmarket[.]org static[.]theyardservice[.]com smtp2[.]theyardservice[.]com
giftbox4u[.]com usaid[.]theyardservice[.]com cdn[.]theyardservice[.]com
hanproud[.]com eventbrite-com-default-rtdb[.]firebaseio[.]com dataplane[.]theyardservice[.]com
newsplacec[.]com supportcdn-default-rtdb[.]firebaseio[.]com static[.]theyardservice[.]com
newstepsco[.]com supportcdn[.]web[.]app worldhomeoutlet[.]com
pcmsar[.]net security-updater[.]web[.]app usaid[.]theyardservice[.]com

 

Related IPs:

192[.]99[.]221[.]77
83[.]171[.]237[.]173
139[.]99[.]167[.]177
185[.]158[.]250[.]239
195[.]206[.]181[.]169
37[.]120[.]247[.]135
45[.]135[.]167[.]27
51[.]254[.]241[.]158
51[.]38[.]85[.]225

 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?