The Sunburst attack, which is said to be one of the most sophisticated supply chain attacks in history, has got more secrets under its sleeves. Microsoft has been tracking SolarWinds attackers as Nobelium (previously Solarigate) and FireEye as UNC2542.
Making the headlines
Researchers from Microsoft and FireEye have discovered several new malware families, which are said to be used by SolarWinds attackers.
- These malware families are GoldMax, Sibot, and GoldFinder (by Microsoft), and Sunshuttle (by FireEye).
- The Nobelium hackers are said to be using the three newly discovered malware during late-stage activity between August and September 2020.
- However, this malware could have been dropped on compromised systems as early as June 2020.
According to Microsoft, these threats were used to maintain persistence and evade initial detection, along with performing actions on certain targeted networks post-compromise.
- GoldMax: Used as a command-and-control backdoor to hide malicious activity and evade detection. Further, it has a decoy network traffic generator to hide malicious network traffic with legit traffic.
- Sibot: Used for maintaining persistence and downloading other malware payloads via a second-stage script.
- GoldFinder: Custom HTTP tracer tool for identifying servers and redirectors such as network security devices used between the infected devices and C2 server.
Other critical info
- These threats were introduced after the actor gained access via compromised credentials, SolarWinds binary, after moving laterally with TEARDROP or other malicious actions.
- In addition, FireEye has shared information on another second-stage backdoor found on the servers of an organization compromised by the SolarWinds attackers. The new malware is dubbed Sunshuttle.
- However, based on the C2 domain, it can be said that Sunshuttle and GoldMax refer to the same malware strain, simultaneously discovered by the two agencies while working independently.
This new information has revealed capabilities that differ from previously identified Nobelium tools and attack tactics. At every stage of the attack, the attackers have shown a deep knowledge of software tools, security software, deployments, systems commonly used in networks, and techniques commonly used by incident response teams. This disclosure about new malware families is expected to provide a deeper understanding of SolarWinds supply chain attack.