As threat researchers continue to sift through the debris from the massive SolarWinds supply chain attack, three new strains of malware are discovered. In dual reports issued last Thursday by FireEye and Microsoft, the research teams disclose the newly discovered strains, including one they labeled as a “sophisticated second-stage backdoor.”
What They Found
Data Breach Today reported last week that “In the reports released Thursday, both Microsoft and FireEye note that these newly uncovered malware variants likely served as malicious payloads to connect and communicate with command-and-control servers and helped the attackers maintain persistence within the compromised networks and devices.”
In an attempt to deconstruct the attack, threat researchers pour over all the evidence to learn more about the criminals and their techniques. The three newly discovered strains of malware are called GoldMax, GoldFinder, and Sibot. The previous four tools discovered in the attack were dubbed Sunspot, Sunburst, Teardrop, and Raindrop.
Threat researchers have maintained that they believe Russian intelligence operatives carried out the entire enterprise.
The Hacker News noted that “These tools are new pieces of malware that are unique to this actor,” Microsoft said;
“They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions.”
Microsoft has created a name for the threat actors behind the SolarWinds attack, NOBELIUM. According to The Hacker News, other agencies use their own vernacular to refer to the group. Some examples include UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).
The hacker group used Sunspot to inject the Sunburst backdoor into SolarWinds Orion products, and then Teardrop and Raindrop to travel across the network and deliver the Cobalt Strike Beacon.
GoldMax (Golang-based malware aka SUNSHUTTLE)
The GoldMax piece of the puzzle was used as malware to create a secure, solid connection between the compromised device and the hacker-controlled server. The malware then listened and waited for commands to execute, including downloading files, uploading files, or changing operating system settings on the infected server. GoMax is very sophisticated and cloaks its network traffic with legitimate traffic URLs like www.bing.com, www.yahoo.com, www.facebook.com, www.twitter.com, and www.google.com. The feature of “blending in” made it extremely difficult to identify.
The Hacker News defined GoldFinder as “Goldfinder, also written in Go, is an HTTP tracer tool for logging the route a packet takes to reach a C2 server.”
Sibot, on the other hand, is written in VBScript and has dual purposes. First, it is designed to achieve persistence on the compromised equipment, then it downloads and executes a payload from the C2 server. “Microsoft reported finding three obfuscated variants of Sibot.”
The Bottom Line
Microsoft noted in their report that “These capabilities differ from previously known NOBELIUM tools and attack patterns and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams.”
As the drama surrounding the SolarWinds supply chain attack continues, new reports keep surfacing, filling in the massive blanks as to who, what, why, and when. Although threat researchers suspect that the initial attack took place in September 2019, the enormity of the damage was not discovered until almost a year later, in August 2020. Teams from various affected companies continue to dig through the wreckage to uncover the truth, which may ultimately lead to law enforcement bringing the criminals to justice.