The US Department of Justice has seized two domains that were used in the recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain access to internal networks.
The two domains seized are theyardservice[.]com and worldhomeoutlet[.]com which were used to get data exfiltrated from victims of the targeted phishing attacks and send further commands malware to execute on infected machines.
Microsoft disclosed these attacks last week and stated that they were conducted by a Russian state sponsored hacking group known as NOBELIUM (APT29, Cozy Bear, and The Dukes).
NOBELIUM performed the phishing attacks by compromising a Contact account for USAID that was used for email campaigns. By using this account, the threat actors impersonated USAID in phishing emails and were sent to around 3,000 email accounts at more than 150 different organizations, including government agencies and human rights organizations.
The recipients who received these emails and if clicked on the enclosed links would be directed to download malware from a sub-domain of theyardservice[.]com.
The installed malware would then lead to installing remote access software, such as Cobalt Strike beacons that provided full access to victims’ computers, and finally the network.
The threat actor’s instance of the Cobalt Strike tool received C2 communications through other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that were seized by the Department.
Microsoft shared the indicators of compromise (IOCs) for this campaign, in which they mentioned a total of thirty-four domains used in some capacity during the attacks. It includes the two domains seized by the FBI.
This operation was conducted by the FBI Washington Field Office and it might lead the law enforcement to get a better understanding of who was breached during this attack and notify victims.