Categories: SecurityWorkspace

Researchers Identify More Malware Used By SolarWinds Hack Group

Microsoft and security firm FireEye have identified three new pieces of custom-made malware used by the attackers behind last year’s wide-ranging SolarWinds hacking campaign.

Microsoft said the newly identified hacking tools showed the hacking group’s sophistication, to the point that they evaded detection even during the initial phases of the response to the SolarWinds hack.

The attack group, which Microsoft calls Nobellium and FireEye calls UNC2542, is backed by the Russian government, according to US intelligence officials. Russia denies involvement.

The group infiltrated companies and US government departments via code planted inside SolarWinds’ Orion network management platform last year.

Custom-made malware

But Microsoft said in an analysis that Nobellium was also found to have attacked companies through other means, such as the use of stolen credentials.

The three new malware tools were custom-made for particular organisations’ networks, and were meant to be deployed after those organisations had already been successfully infiltrated, Microsoft and FireEye said.

They were used by Nobellium to maintain its persistence on the network and perform actions such as carrying out commands retrieved from a remote command-and-control server.

“In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams,” Microsoft said in its analysis.

Persistence

“This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.”

Given the group’s use of custom-made tools, Microsoft said it is “likely” that additional components would be discovered as investigation work continues.

Microsoft and FireEye, both of which were compromised by Nobellium via the SolarWinds hack, are working together on the investigation.

The first malware tool, called GoldMax by Microsoft and Sunshuttle by FireEye, appears to be a second-stage backdoor dropped after a successful initial compromise, Microsoft said.

The tool is notable for selecting referrers from website URLs with a high level of perceived trust in order to make its communications with the C2 server appear legitimate.

Concealment

A second tool called Sibot is designed to achieve persistence on a network before downloading and executing a payload from a remote server.

Written in VBScript, the tool is given a name that makes it appear to be a legitimate Windows task, in order to evade detection.

The third tool, called GoldFinder, appears to be a custom HTTP tracer tool that logs communications with the command server in order to help the attackers conceal their presence, Microsoft said.

Microsoft’s analysis of the newly identified malware is available here, and FireEye’s analysis is here.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

14 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

14 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

15 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

15 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

16 hours ago