Microsoft has published a new report shedding light on three new malware strains used by a threat actor, which it now is tracking as Nobelium, to compromise software firm SolarWinds and its customers in a supply-chain attack last year, which is described as “the largest, most sophisticated attack ever.”
The tech giant said it discovered three new pieces of malware in some compromised customer networks and observed them to be in use from August to September 2020, with infections dating back a far as June 2020. The three malware strains are:
GoldMax - a command-and-control (C2) backdoor written in Go. It uses several different techniques to obfuscate its actions and evade detection. GoldMax has a decoy network traffic generator that allows it to surround its malicious network traffic with seemingly benign traffic.
Sibot - a dual-purpose malware implemented in VBScript designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server.
GoldFinder - another Go-based malware that is likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. On a compromised device, GoldFinder can be used to inform the threat actor of potential points of discovery or logging of their other actions, such as C2 communication with GoldMax.
“These tools are new pieces of malware that are unique to this actor. They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions,” Microsoft said. “Microsoft assesses that the newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise, even evading initial detection during incident response.”
Cybersecurity firm FireEye also released a report on a new second-stage backdoor, which it dubbed Sunshuttle. The company believes that this malware is connected to the threat actor behind SolarWinds breach, which is tracked by security researchers as UNC2452 (FireEye), StellarParticle (CrowdStrike), SolarStorm (Palo Alto Unit 42), Dark Halo (Volexity), and now Nobelium (Microsoft).
Sunshuttle is a backdoor, written in Go, that reads an embedded or local configuration file, communicates with its C2 server over HTTPS and supports commands including remotely updating its configuration, file upload and download, and arbitrary command execution.
Last month, Microsoft revealed that the SolarWinds hackers gained access to some repositories and downloaded source code for three company’s products, namely the cloud computing service Azure, the cloud-based management solution Intune and the mail and calendar server Exchange. In all cases the hackers only downloaded a small subset of files, Microsoft said, and search terms used by the threat actor indicate that they were interested in company’s secrets.