TNW Creations, LLC. Multimedia Publishing

Web Design & Development

Austin, Texas

Constant Contact Malicious Link Warning

Carefully examine links before clicking emails using Constant Contact, the popular email campaign service.

Any humanitarian organization who works directly with US Aid, as well as those who are connected indirectly through another program - need to be cautious with email links as well as scan for current compromised networks.

Woman on orange and white background, phishing email icon, tnw creations

Microsoft announced a sophisticated and widespread attack that sent 3,000 malicious links to 150 organizations. And the threat is still active.

Tom Burt, a vice president at Microsoft stated on Thursday May 27, "The hackers appeared to target "many humanitarian and human rights organizations"

Microsoft states NOBELIUM, the threat actor who orchestrated the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components is behind this spear-phishing campaign meant to corrupt networks of organizations who work with US AID.

Screenshot of US Aid Constant Contact Email Phishing

Malicious US Aid email example courtesy of Microsoft.Com

Before opening any emails from Constant Contact or other email campaigns, always check the senders and links by hovering over the link. Make sure your operating systems are up to date, make sure your antivirus security software is up to date.

What you can do if you suspect you may have been part of this compromise

For Microsoft Windows Users, apply these mitigations to reduce the impact of this threat. Check the recommendations on Microsoft for the deployment status of monitored mitigations.

 

  1. Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  2. Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
  3. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  4. Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  5. Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  6. Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to secure your accounts.
  7. For Office 365 users, see multifactor authentication support.
  8. For Consumer and Personal email accounts, see how to use two-step verification.
  9. Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes. NOTE: Assess rule impact before deployment.

 

Indications you have been compromised

[email protected]

Email  -  Spoofed email account


[email protected]
Email  - Spoofed email account

 

2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252SHA-256
Malicious ISO file (container)

 

d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142SHA-256
Malicious ISO file (container)

 

94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916SHA-256
Malicious ISO file (container)

 

48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0SHA-256
Malicious shortcut (LNK)

 

ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088cSHA-256
Cobalt Strike Beacon malware

 

ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330SHA-256
Cobalt Strike Beacon malware

 

usaid.theyardservice[.]com
Domain, Subdomain used to distribute ISO file


worldhomeoutlet[.]com
Domain, Subdomain in Cobalt Strike C2

 

dataplane.theyardservice[.]com
Domain, Subdomain in Cobalt Strike C2

 

cdn.theyardservice[.]com
Domain, Subdomain in Cobalt Strike C2

 

static.theyardservice[.]com
Domain, Subdomain in Cobalt Strike C2

 

192[.]99[.]221[.]77IP address
IP resolved to by worldhomeoutlet[.]com

 

83[.]171[.]237[.]173IP address
IP resolved to by *theyardservice[.]com

 

theyardservice[.]com
DomainActor controlled domain

Antivirus Detection

Microsoft Defender Antivirus detects threat components as the following malware:


Trojan:Win32/NativeZone.C!dha

What to do next

Did this article help you? Please share so you can help others! Thank you!

TNW Creations is a Web Development & Media Publishing Agency in Austin, Texas. Web Development, cyber security, web design, clean energy web host, Advanced SEO, Digital Marketing and more since 1995.

I've been programming, designing, writing and publishing professionally online since 1995. I've worn many hats throughout my life, but the common core of my career has always been media. Besides the portfolio you see on TNW Creations, my internet presence has been substantial for over 2 decades. In 1995, while still in college, I founded TNW Creations and became part of the grassroots development for teaching the Lakhota language online. By 2004, my bilingual work was listed on many sites, including National Geographic , Encarta and Touchstone Pictures Hidalgo. When I'm not designing, developing and writing, you'll find me managing MagicStoryLand.Com, creating kid-friendly game & video content, posting salty articles about cyber threats, leading Girl Scouts, moderating UnifyLife.Org and enjoying my  community, church & family.