AA21-148A Sophisticated Spearphishing Campaign
Indicators
SUMMARY
Callout Box: This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are responding to a spearphishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs). A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute links to malicious URLs.
This Joint Cybersecurity Advisory contains information on tactics, techniques, and procedures (TTPs) and malware associated with this campaign. For more information on the malware, refer to Malware Analysis Report MAR-10339794-1.v1: Cobalt Strike Beacon.
CISA and FBI urge governmental and international affairs organizations and individuals associated with such organizations to immediately adopt a heightened state of awareness and implement the recommendations in the Mitigations section of this advisory.
For a downloadable list of indicators of compromise (IOCs), refer to AA21-148A.stix and MAR-10339794-1.v1.
TECHNICAL DETAILS
Based on incident reports, malware collection, and trusted third-party reporting, CISA and FBI are responding to a sophisticated spearphishing campaign. A cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to over 7,000 accounts across more than 300 government organizations, IGOs, and NGOs. The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization. The emails contained a legitimate Constant Contact link that redirected to a malicious URL [T1566.002, T1204.001], from which a malicious ISO file was dropped onto the victim’s machine.
The ISO file contained (1) a malicious Dynamic Link Library (DLL) named Documents.dll [T1055.001], which is a custom Cobalt Strike Beacon version 4 implant, (2) a malicious shortcut file that executes the Cobalt Strike Beacon loader [T1105], and (3) a benign decoy PDF titled “Foreign Threats to the 2020 US Federal Elections” with file name "ICA-declass.pdf".
Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. The Cobalt Strike Beacon is the malicious implant that calls back to attacker-controlled infrastructure and checks for additional commands to execute on the compromised system [TA0011]
The configuration file for this Cobalt Strike Beacon implant contained communications protocols, an implant watermark, and the following hardcoded command and control (C2) domains:
● dataplane.theyardservice.com/jquery-3.3.1.min.woff2
● cdn.theyardservice.com/jquery-3.3.1.min.woff2
● static.theyardservice.com/jquery-3.3.1.min.woff2
● worldhomeoutlet.com/jquery-3.3.1.min.woff2
The configuration file was encoded via an XOR with the key 0x2e and a 16-bit byte swap.
For more information on the ISO file and Cobalt Strike Beacon implant, including IOCs, refer to Malware Analysis Report MAR-10339794-1.v1: Cobalt Strike Beacon.
INDICATORS OF COMPROMISE
The following IOCS were derived from trusted third parties and open-source research. For a downloadable list of IOCs, refer to AA21-148A.stix.
URL: https://r20.rs6.net/tn.jsp?f=
Host IP: 208.75.122.11 (US)
Owner: Constant Contact, Inc.
Activity: legitimate Constant Contact link found in phishing email that redirects victims to actor-controlled infrastructure at
"https://usaid.theyardservice.com/d/<target_email_address>"
URL: https://usaid.theyardservice.com/d/<target_email_address>
Host IP: 83.171.237.173 (Germany)
Owner: [redacted]
First Seen: May 25, 2021
Activity: actor-controlled URL that was redirected from "https://r20.rs6.net/tn.jsp?f="; the domain "usaid.theyardservice.com" was detected as a malware site; hosted a malicious ISO file "usaid.theyardservice.com"
File: ICA-declass.iso [MD5: cbc1dc536cd6f4fb9648e229e5d23361]
File Type: Macintosh Disk Image
Detection: Artemis!7EDF943ED251, Trojan:Win32/Cobaltstrike!MSR, or other malware
Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
File: /d/ [MD5: ebe2f8df39b4a94fb408580a728d351f]
File Type: Macintosh Disk Image
Detection: Cobalt, Artemis!7EDF943ED251, or other malware
Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
File: ICA-declass.iso [MD5: 29e2ef8ef5c6ff95e98bff095e63dc05]
File Type: Macintosh Disk Image
Detection: Cobalt Strike, Rozena, or other malware
Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
File: Reports.lnk [MD5: dcfd60883c73c3d92fceb6ac910d5b80]
File Type: LNK (Windows shortcut)
Detection: Worm: Win32-Script.Save.df8efe7a, Static AI - Suspicious LNK, or other malware
Activity: shortcut contained in malicious ISO files; executes a custom Cobalt Strike Beacon loader
File: ICA-declass.pdf [MD5: b40b30329489d342b2aa5ef8309ad388]
File Type: PDF
Detection: undetected
Activity: benign, password-protected PDF displayed to victim as a decoy; currently unrecognized by antivirus software
File: DOCUMENT.DLL [MD5: 7edf943ed251fa480c5ca5abb2446c75]
File Type: Win32 DLL
Detection: Trojan: Win32/Cobaltstrike!MSR, Rozena, or other malware
Activity: custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with multiple URLs, domains, and IP addresses by antivirus software
File: DOCUMENT.DLL [MD5: 1c3b8ae594cb4ce24c2680b47cebf808]
File Type: Win32 DLL
Detection: Cobalt Strike, Razy, Khalesi, or other malware
Activity: Custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with multiple URLs, domains, and IP addresses by antivirus software
Domain: usaid.theyardservice.com
Host IP: 83.171.237.173 (Germany)
First Seen: May 25, 2021
Owner: Withheld for Privacy Purposes
Activity: subdomain used to distribute ISO file according to the trusted third party; detected as a malware site by antivirus programs
Domain: worldhomeoutlet.com
Host IP: 192.99.221.77 (Canada)
Created Date: March 11, 2020
Owner: Withheld for Privacy Purposes by Registrar
Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software; associated with Cobalt Strike malware
Domain: dataplane.theyardservice.com
Host IP: 83.171.237.173 (Germany)
First Seen: May 25, 2021
Owner: [redacted]
Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software; observed in phishing, malware, and spam activity
Domain: cdn.theyardservice.com
Host IP: 83.171.237.173 (Germany)
First Seen: May 25, 2021
Owner: Withheld for Privacy Purposes by Registrar
Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software
Domain: static.theyardservice.com
Host IP: 83.171.237[.]173 (Germany)
First Seen: May 25, 2021
Owner: Withheld for Privacy Purposes
Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software
IP: 192.99.221.77
Organization: OVH SAS
Resolutions: 7
Geolocation: Canada
Activity: detected as a malware site; hosts a suspicious domain "worldhomeoutlet.com"; observed in Cobalt Strike activity
IP: 83.171.237.173
Organization: Droptop GmbH
Resolutions: 15
Geolocation: Germany
Activity: Categorized as malicious by antivirus software; hosted multiple suspicious domains and multiple malicious files were observed downloaded from this IP address; observed in Cobalt Strike and activity
Domain: theyardservice.com
Host IP: 83.171.237.173 (Germany)
Created Date: January 27, 2010
Owner: Withheld for Privacy Purposes
Activity: Threat actor controlled domain according to the trusted third party; categorized as suspicious by antivirus software; observed in Cobalt Strike activity
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2021-05-28T00:00:00Z
Malicious URL Indicator
URL Watchlist
worldhomeoutlet.com/jquery-3.3.1.min.woff2
Malicious URL Indicator
URL Watchlist
static.theyardservice.com/jquery-3.3.1.min.woff2
Malicious URL Indicator
URL Watchlist
cdn.theyardservice.com/jquery-3.3.1.min.woff2
Malicious URL Indicator
URL Watchlist
dataplane.theyardservice.com/jquery-3.3.1.min.woff2
Malicious File Indicator
File Hash Watchlist
d
10485447
MD5
EBE2F8DF39B4A94FB408580A728D351F
SHA1
251FA6CAFD4F4D26FE97630834AA7D3F5543F886
SHA256
D035D394A82AE1E44B25E273F99EAE8E2369DA828D6B6FDB95076FD3EB5DE142
Malicious URL Indicator
Benign
https://r20.rs6.net/tn.jsp?f=
Malicious URL Indicator
URL Watchlist
https://usaid.theyardservice.com/d/
Malicious FQDN Indicator
Domain Watchlist
usaid.theyardservice.com
Malicious FQDN Indicator
Domain Watchlist
worldhomeoutlet.com
Malicious FQDN Indicator
Domain Watchlist
static.theyardservice.com
Malicious FQDN Indicator
Domain Watchlist
cdn.theyardservice.com
Malicious FQDN Indicator
Domain Watchlist
theyardservice.com
Malicious FQDN Indicator
Domain Watchlist
dataplane.theyardservice.com
Malicious File Indicator
File Hash Watchlist
ICA-declass.iso
22085632
MD5
29E2EF8EF5C6FF95E98BFF095E63DC05
SHA1
BF7B36C521E52093360A4DF0DD131703B7B3D648
SHA256
94786066A64C0EB260A28A2959FCD31D63D175ADE8B05AE682D3F6F9B2A5A916
Malicious File Indicator
File Hash Watchlist
document.dll
1737728
MD5
7EDF943ED251FA480C5CA5ABB2446C75
SHA1
1380D7C44EFDE64F471AE70563372EFE18F43026
SHA256
EE44C0692FD2AB2F01D17CA4B58CA6C7F79388CBC681F885BB17EC946514088C
Malicious File Indicator
File Hash Watchlist
DOCUMENT.DLL
1747968
MD5
1C3B8AE594CB4CE24C2680B47CEBF808
SHA1
1FB12E923BDB71A1F34E98576B780AB2840BA22E
SHA256
EE42DDACBD202008BCC1312E548E1D9AC670DD3D86C999606A3A01D464A2A330
Malicious File Indicator
File Hash Watchlist
ICA-declass.iso
22085632
MD5
CBC1DC536CD6F4FB9648E229E5D23361
SHA1
C1D5443F6F57F89BEF76EB9E7C070F911954553B
SHA256
2523F94BD4FBA4AF76F4411FE61084A7E7D80DEC163C9CCBA9226C80B8B31252
Malicious File Indicator
File Hash Watchlist
Reports.lnk; REPORTS.LNK
1486
MD5
DCFD60883C73C3D92FCEB6AC910D5B80
SHA1
1CB1C2CD9F59D4E83EB3C950473A772406EC6F1A
SHA256
48B5FB3FA3EA67C2BC0086C41EC755C39D748A7100D71B81F618E82BF1C479F0
Malicious File Indicator
File Hash Watchlist
ICA-declass-16MAR21.pdf; ICA-declass.pdf
19782503
MD5
B40B30329489D342B2AA5EF8309AD388
SHA1
738C20A2CC825AE51B2A2F786248F850C8BAB6F5
SHA256
7D34F25AD8099BD069C5A04799299F17D127A3866B77EE34FFB59CFD36E29673
Malicious IPv4 Indicator
IP Watchlist
192.99.221.77
Malicious IPv4 Indicator
IP Watchlist
83.171.237.173
Malicious FQDN Indicator
Domain Watchlist
r20.rs6.net
T1566.001 - Phishing: Spearphishing Attachment - Initial Access
T1566.002 - Phishing: Spearphishing Link - Initial Access
T1204.001 - User Execution: Malicious Link - Execution
T1068 - Exploitation for Privilege Escalation - Privilege Escalation
T1083 - File and Directory Discovery - Discovery