Justice Department announces court-authorized seizure of domain names used in furtherance of spear-phishing campaign posing as U.S. Agency for International Development.
According to court orders issued in the Eastern District of Virginia, “the United States seized two command-and-control (C2) and malware distribution domains used in a recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID).”
Seizure of the Two Domains to Disrupt Malicious Actors
Microsoft has issued a security alert last week that Nobelium, a Russian group that had been behind the SolarWinds cyber attack identified last year, had turned to target government agencies, think tanks, consultants, and non-governmental organizations.
Seized two domains were used during this recent phishing campaign that targeted a marketing firm used by the U.S. Agency for International Development – USAID – to send spear-phishing emails and containing a “special alert,” to thousands of email accounts at over one hundred entities.
The malicious links within the phishing emails were designed to eventually redirect the user to a landing page that is controlled by the attackers so that a malicious ISO file would be installed on the victim’s device, according to Microsoft researchers.
Subsequently, that file would install a Dynamic Link Library that contains a customized Cobalt Strike Beacon loader, which Microsoft calls “NativeZone.”
“Upon clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain a persistent presence and possibly deploy additional tools or malware to the victim’s network”.
“The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized under the court’s seizure order”, according to the Justice Department.
Therefore, the Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims.
Assistant Attorney General John C. Demers of the Justice Department’s National Security Division mentions that “Last week’s action is a continued demonstration of the department’s commitment to proactively disrupt hacking activity before the conclusion of a criminal investigation”.
“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia.
“These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries”, said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office.
Assistant Director Bryan Vorndran of the FBI’s Cyber Division says “We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”