On 27th May Microsoft released a blog on a very sophisticated attack conducted by the threat actor, named Nobelium. While it is believed that threat actor kept changing the initial attack vector multiple times in past few months, the latest technique of abusing mass email service to send spear phishing emails targeted approximately 3000 email accounts in approximately 150 organizations including government, non-government, military, IT services, think tanks, health services and research and telecommunication. The same threat actor, Nobelium, is also believed to be behind the massive supply chain attack against SolarWinds in Dec 2020.

What is the issue

The threat actor, Nobelium, is using a unique infrastructure for each target which makes this attack more sophisticated.

The attack starts with a malicious email campaign asking the victim to download and execute an HTML file. This HTML file after successful execution, writes an ISO file on the disk and mounts as a drive. The lnk file in the ISO is executed first and it runs the cobalt strike beacon into the system. After the execution, the threat actor achieves persistence on the system and performs post exploitation activities such as, lateral propagation, data exfiltration etc.

Microsoft has provided technical analysis of the attack here.

Best practices/guidelines to follow:

Route all server traffic through Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers.
Restrict traffic from critical infrastructure to an allow list of known-good destinations
Ensure you are inspecting all SSL traffic.
Turn on Advanced Threat Protection to block all known command-and-control domains.
Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations.
Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.
Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture.
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access.

Zscaler coverage:

Zscaler leveraged the details on the countermeasures published by Microsoft to ensure coverage. Enhanced protection has been added wherever necessary across multiple layers of the Zscaler security platform. Below are the threat names of the existing detections:

Advanced Threat protection

Win32.Backdoor.Cobaltstrike.LZ
Win32.Trojan.Nobelium.LZ

Malware protection:

Win32.Trojan.NOBELIUM
Win64.Backdoor.CobaltStrike
HTML.Dropper.EnvyScout
LNK.Downloader.CobaltStrike
PDF.Trojan.NOBELIUM

Details related to these threat signatures can be found in the Zscaler Threat Library.

Advanced Cloud Sandbox

We have ensured that Zscaler Cloud Sandbox flags these Indicators Of Compromise (IOCs) and also protects against the unknown indicators. As always, Cloud Sandbox plays a critical role in blocking any custom variants that may be developed from these stolen tools.

Zscaler ThreatLabZ team is also actively monitoring this campaign and any activity around Nobelium and the impact to ensure coverage for newer IOCs as they are discovered.