Categories: SecurityWorkspace

Researchers Identify More Malware Used By SolarWinds Hack Group

Microsoft and security firm FireEye have identified three new pieces of custom-made malware used by the attackers behind last year’s wide-ranging SolarWinds hacking campaign.

Microsoft said the newly identified hacking tools showed the hacking group’s sophistication, to the point that they evaded detection even during the initial phases of the response to the SolarWinds hack.

The attack group, which Microsoft calls Nobellium and FireEye calls UNC2542, is backed by the Russian government, according to US intelligence officials. Russia denies involvement.

The group infiltrated companies and US government departments via code planted inside SolarWinds’ Orion network management platform last year.

Custom-made malware

But Microsoft said in an analysis that Nobellium was also found to have attacked companies through other means, such as the use of stolen credentials.

The three new malware tools were custom-made for particular organisations’ networks, and were meant to be deployed after those organisations had already been successfully infiltrated, Microsoft and FireEye said.

They were used by Nobellium to maintain its persistence on the network and perform actions such as carrying out commands retrieved from a remote command-and-control server.

“In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams,” Microsoft said in its analysis.


“This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.”

Given the group’s use of custom-made tools, Microsoft said it is “likely” that additional components would be discovered as investigation work continues.

Microsoft and FireEye, both of which were compromised by Nobellium via the SolarWinds hack, are working together on the investigation.

The first malware tool, called GoldMax by Microsoft and Sunshuttle by FireEye, appears to be a second-stage backdoor dropped after a successful initial compromise, Microsoft said.

The tool is notable for selecting referrers from website URLs with a high level of perceived trust in order to make its communications with the C2 server appear legitimate.


A second tool called Sibot is designed to achieve persistence on a network before downloading and executing a payload from a remote server.

Written in VBScript, the tool is given a name that makes it appear to be a legitimate Windows task, in order to evade detection.

The third tool, called GoldFinder, appears to be a custom HTTP tracer tool that logs communications with the command server in order to help the attackers conceal their presence, Microsoft said.

Microsoft’s analysis of the newly identified malware is available here, and FireEye’s analysis is here.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Bitcoin Value Reaches $63,000 Record High

The value of the Bitcoin cryptocurrency continues to fluctuate, but has now surpassed $63,000 in…

9 hours ago

Iran’s Natanz Cyberattack Blamed On Israel

Second Stuxnet? Iran's Natanz nuclear facility suffered another cyberattack at the weekend, with the finger…

11 hours ago

Google Founders Larry Page, Sergey Brin Personal Fortune Grows

Share surge in Alphabet over the past year allows founders Larry Page and Sergey Brin…

13 hours ago

Apple Teases New Devices With ‘Spring Loaded’ Event

New devices to be revealed next week may include new iPads, AirTags, or even augmented…

14 hours ago

Chip Shortage – Renault To Extend Idle Factories Until September

Three of Renault's four car factories in Spain will be partly idled until end of…

17 hours ago

NHS Website Crashes Briefly Amid Rush For Vaccine Bookings

After the government authorises Covid-19 vaccines for over 45s, NHS booking website crashes briefly under…

17 hours ago