Categories: SecurityWorkspace

Researchers Identify More Malware Used By SolarWinds Hack Group

Microsoft and security firm FireEye have identified three new pieces of custom-made malware used by the attackers behind last year’s wide-ranging SolarWinds hacking campaign.

Microsoft said the newly identified hacking tools showed the hacking group’s sophistication, to the point that they evaded detection even during the initial phases of the response to the SolarWinds hack.

The attack group, which Microsoft calls Nobellium and FireEye calls UNC2542, is backed by the Russian government, according to US intelligence officials. Russia denies involvement.

The group infiltrated companies and US government departments via code planted inside SolarWinds’ Orion network management platform last year.

Custom-made malware

But Microsoft said in an analysis that Nobellium was also found to have attacked companies through other means, such as the use of stolen credentials.

The three new malware tools were custom-made for particular organisations’ networks, and were meant to be deployed after those organisations had already been successfully infiltrated, Microsoft and FireEye said.

They were used by Nobellium to maintain its persistence on the network and perform actions such as carrying out commands retrieved from a remote command-and-control server.

“In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams,” Microsoft said in its analysis.

Persistence

“This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.”

Given the group’s use of custom-made tools, Microsoft said it is “likely” that additional components would be discovered as investigation work continues.

Microsoft and FireEye, both of which were compromised by Nobellium via the SolarWinds hack, are working together on the investigation.

The first malware tool, called GoldMax by Microsoft and Sunshuttle by FireEye, appears to be a second-stage backdoor dropped after a successful initial compromise, Microsoft said.

The tool is notable for selecting referrers from website URLs with a high level of perceived trust in order to make its communications with the C2 server appear legitimate.

Concealment

A second tool called Sibot is designed to achieve persistence on a network before downloading and executing a payload from a remote server.

Written in VBScript, the tool is given a name that makes it appear to be a legitimate Windows task, in order to evade detection.

The third tool, called GoldFinder, appears to be a custom HTTP tracer tool that logs communications with the command server in order to help the attackers conceal their presence, Microsoft said.

Microsoft’s analysis of the newly identified malware is available here, and FireEye’s analysis is here.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

US Investigates Alphabet’s Waymo After Self-Driving Incidents

'Unexpected behaviour' of Waymo's self-driving vehicles triggers investigation by American safety regulators

8 hours ago

TikTok Creators Sue To Block US Divest Or Ban Law

Group of TikTok creators in the United States attempt to block recent law that will…

9 hours ago

Protestors Clash With Police At Tesla Gigafactory In Germany

Hundreds of climate activists clashed with police outside Tesla gigafactory near Berlin, in protest over…

10 hours ago

Google I/O: Google Gemini, Project Astra Etc

AI very much the focus at Google's annual developer conference, including Google Gemini and a…

11 hours ago

OpenAI Co-founder Ilya Sutskever Departs To Work On ‘New Project’

Co-founder and chief scientist Ilya Sutskever to leave OpenAI, after role in Sam Altman's firing…

14 hours ago

Biden Administration Imposes 100 Percent Tariff On Chinese EVs

Electric vehicles made in China are now subject to a 100 percent tariff, to protect…

15 hours ago