According to ESET's T3 2021 Threat Report shared with The Hacker News, the intrusions paved the way for the deployment of the Cobalt Strike Beacon on compromised systems, and then exploited the ground to drop additional malware to gather information about hosts and other machines on the same system. .
The advanced persistent threat group, also tracked under the names The Dukes, Cozy Bear, and Nobelium, is a vicious cyberespionage group that has been active for over a decade with attacks targeting Europe and the United States before gaining widespread attention. For SolarWinds' supply chain reconciliation, which led to more infections in many subsidiaries, including US government agencies, in 2020.
The spear phishing attacks began with a COVID-19-themed phishing email containing an HTML attachment from Iran's Ministry of Foreign Affairs that impersonated and, when opened, prompted recipients to open or save a file that looked like an ISO disc image file ("Covid.iso") ).
If the victim chooses to open or download the file, "a small piece of JavaScript decodes the ISO file directly embedded in the HTML attachment." The disk image file contains an HTML application, which in turn is executed using mshta.exe to run a piece of PowerShell code that installs the Cobalt Strike Beacon on the infected system.
SOURCE