Researchers uncover 3 more malware strains linked to SolarWinds hackers. FireEye and Security researchers with the Microsoft Threat Intelligence Center (MSTIC) discovered 3 more malware strains in connection with the SolarWinds supply-chain attack, including a “sophisticated second-stage backdoor”.
Microsoft and FireEye published blog posts showing several new pieces of malware that they believe are linked to the hackers behind the supply chain attack.
Microsoft also took the opportunity to name the actor behind the attacks against SolarWinds as NOBELIUM, which is also being tracked under different monikers by the cybersecurity community, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).
New Malware Strains
According to Microsoft, these malware strains come with the following capabilities:
- GoldMax: Go-based malware used as a command-and-control backdoor for hiding malicious activity and evading detection. The malware allows its operators to download and execute files on the compromised device, upload files to the C&C server
- Sibot: VBScript-based malware used for maintaining persistence and downloading additional malware payloads using a second-stage script. Sibot helps the attackers achieve persistence on the compromised computer and allows them to download and execute another payload from a remote server.
- GoldFinder: Go-based malware “most likely” used as a custom HTTP tracer tool for detecting servers and redirectors like network security devices between the infected devices and C2 server. GoldFinder can find the HTTP proxy servers, network security devices and other systems that a request travels through before reaching the C&C server
The blog post published by FireEye also details this piece of malware, which the company tracks as SUNSHUTTLE. FireEye described SUNSHUTTLE as a second-stage backdoor and said it had seen the malware on the systems of an organization targeted by the SolarWinds hackers, which it tracks as UNC2452.
SolarWinds has been targeted by at least two threat groups. One of them, which has been linked to Russia, was behind the supply chain attack that involved hacking into SolarWinds’ networks and the delivery of malware to thousands of its customers. This is the threat group that is believed to have used the malware described this week by Microsoft and FireEye.
Microsoft believes as many as 1,000 hackers were involved in this attack, but many experts have expressed doubt regarding those claims. SolarWinds was also targeted by an unrelated threat actor believed to be operating out of China, which did not compromise its systems and instead launched attacks involving the exploitation of a zero-day vulnerability in a SolarWinds product after they gained access to the targeted organization’s systems.