Categories: SecurityWorkspace

Researchers Identify More Malware Used By SolarWinds Hack Group

Microsoft and security firm FireEye have identified three new pieces of custom-made malware used by the attackers behind last year’s wide-ranging SolarWinds hacking campaign.

Microsoft said the newly identified hacking tools showed the hacking group’s sophistication, to the point that they evaded detection even during the initial phases of the response to the SolarWinds hack.

The attack group, which Microsoft calls Nobellium and FireEye calls UNC2542, is backed by the Russian government, according to US intelligence officials. Russia denies involvement.

The group infiltrated companies and US government departments via code planted inside SolarWinds’ Orion network management platform last year.

Custom-made malware

But Microsoft said in an analysis that Nobellium was also found to have attacked companies through other means, such as the use of stolen credentials.

The three new malware tools were custom-made for particular organisations’ networks, and were meant to be deployed after those organisations had already been successfully infiltrated, Microsoft and FireEye said.

They were used by Nobellium to maintain its persistence on the network and perform actions such as carrying out commands retrieved from a remote command-and-control server.

“In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams,” Microsoft said in its analysis.


“This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.”

Given the group’s use of custom-made tools, Microsoft said it is “likely” that additional components would be discovered as investigation work continues.

Microsoft and FireEye, both of which were compromised by Nobellium via the SolarWinds hack, are working together on the investigation.

The first malware tool, called GoldMax by Microsoft and Sunshuttle by FireEye, appears to be a second-stage backdoor dropped after a successful initial compromise, Microsoft said.

The tool is notable for selecting referrers from website URLs with a high level of perceived trust in order to make its communications with the C2 server appear legitimate.


A second tool called Sibot is designed to achieve persistence on a network before downloading and executing a payload from a remote server.

Written in VBScript, the tool is given a name that makes it appear to be a legitimate Windows task, in order to evade detection.

The third tool, called GoldFinder, appears to be a custom HTTP tracer tool that logs communications with the command server in order to help the attackers conceal their presence, Microsoft said.

Microsoft’s analysis of the newly identified malware is available here, and FireEye’s analysis is here.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Vodafone To Hire 7,000 In Digital Services Push

British mobile giant Vodafone to hire thousands of software engineers to assist in its digital…

3 hours ago

Donald Trump To Launch ‘TRUTH Social’ Media Platform

Third time the charm? After indefinite ban on Twitter, and closure of short-lived website, Donald…

4 hours ago

Facebook Fined $70 Million By UK’s CMA

After Facebook questions the authority of the British competition watchdog, the CMA fines the social…

18 hours ago

Alphabet’s Wing Begins Drone Deliveries In Texas

Drone specialist Wing partners with Walgreens in the US to begin deliveries in major metropolitan…

19 hours ago

FCC Urged To Address Spy Risk To US Telecom Networks

American senators have urged the US communications watchdog to address surveillance threats posed by foreign…

21 hours ago

Chip Shortage Could See Renault Confirm More Production Cuts

French car maker Renault expects to produce 300,000 to 400,000 less vehicles this year, as…

21 hours ago