Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:15 PM
Connect Directly

Microsoft, FireEye Uncover More Malware Used in the SolarWinds Campaign

Newly discovered tools were designed for late-stage use after the attackers had already established a relatively firm presence on a breached network, vendors say.

Like the proverbial layers of an onion, researchers investigating the breach at SolarWinds and the numerous related network intrusions that resulted from it have kept discovering new facets to the attack the more they've peeled away at it.

The latest is Microsoft, which Thursday disclosed that it has uncovered three more malware tools that the attackers used in their campaign to spy on and steal data from government agencies and some of the largest companies in the world.

Related Content:

How SolarWinds Busted Up Our Assumptions About Code Signing

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

In a new report, Microsoft describes the three new tools as late-stage malware that the attackers appear to have used once they had already established a relatively firm foothold on victim networks. The company identifies the tools as GoldMax, a command-and-control (C2) backdoor for the attackers; Sibot, a tool for maintaining persistence on a breached network; and GoldFinder, a HTTP tracer tool for logging the route a packet takes to reach a C2 server. Each of the tools were tailor-made for use on specific networks, which is in keeping with the attacker's practice of using unique malware and infrastructure for each victim, Microsoft says.

In a simultaneous report, FireEye says it, too, has discovered the second-stage GoldMax backdoor targeting a US-based entity. The security vendor, however, is calling the backdoor SUNSHUTTLE.

Microsoft researchers discovered the new tools on customer networks that had been compromised via SolarWinds or through other means. According to the company, its analysis showed the tools had been present on some networks as early as June 2020. The SolarWinds breach itself — and the broader campaign that it was part of — was not discovered until months later, in December 2020.

"These tools are new pieces of malware that are unique to this actor," members of Microsoft threat intelligence and security team say in the report. "They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary." The tools appear to be designed for use after the attackers had already moved laterally on a compromised network and after they had carried out what is known as hands-on-keyboard actions on it, Microsoft says.

The company has formally named the group it believes is behind the whole campaign NOBELIUM. Most others that have been tracking the threat, such as FireEye, are currently still tracking the group as an unknown entity. FireEye has been tracking the activity so far as UNC2542.

FireEye says its Mandiant threat intelligence group had discovered SUNSHUTTLE (aka GoldMax) when a US-based entity uploaded it to a public malware repository. "Someone uploaded a file to a malware repository and the metadata on the upload suggests it was from the US," says Ben Read, senior manager of analysis at Mandiant Threat Intelligence. "We don't have anything else to share on the uploader."

The attack on SolarWinds — believed to have been initiated sometime late 2019 — is widely regarded as one of the most significant cyber breaches in recent memory, both for its sophistication and its targeting. Many, including the US government, have said the attack was the work of a highly skilled, well-resourced state-backed group operating out of Russia. But vendors investigating the breach have so far said they have not been able to pin the attacks with certainty on any country.

The attack involved the threat actors gaining access to SolarWinds' software development process and injecting a poisoned binary — called SUNBURST — into legitimate signed updates of the company's Orion network management software. The poisoned updates were distributed undetected to thousands of SolarWinds customers over a period of several months before the attackers themselves quietly removed the malware from the SolarWinds updates. Some 18,000 customers received the poisoned updates, but only a small handful of them appeared to have been of interest to the attacker. On these networks, the attacker used the SUNBURST backdoor to deploy a second-stage memory-only malware tool called Teardrop, which in turn was to deploy the Cobalt Strike attack kit. The attackers used those tools and other mechanisms to move laterally on breached networks and maintain persistence.

Researchers later discovered that the same attackers had used means other than the SolarWinds software updates to access networks. Some of these methods included credential theft and password-guessing and password-spraying attacks. On networks breached this way, the attackers installed a different second-stage payload called Raindrop — which, like Teardrop, was used to download additional malware tools.

Growing List of Malware Tools
This week's disclosures from Microsoft and FireEye add to the growing list of tools that researchers are discovering were used in the campaign.

Microsoft described GoldMax as written in the Go programming language and being used for encrypted C2 communications. Like all other malware tools used in the SolarWinds campaign, GoldMax also uses several different techniques to hide itself on networks and avoid detection. One of them was a mechanism that to generate decoy traffic so malicious traffic would be surrounded by seemingly benign traffic. The C2 domains themselves were high-reputation domains of the sort unlikely to be flagged by security products for being too new or too freshly registered.

In its report, FireEye describes GoldMax/SUNSHUTTLE as a sophisticated backdoor with "straightforward but elegant" detection-evasion techniques. "It's a separate tool that would be used in different circumstances," says Brandan Schondorfer, principal consultant at Mandiant Threat Intelligence. "SUNSHUTTLE and further activity extend our understanding of the breadth of [the threat actor's] capabilities and access to extensive tooling," he says.

Sibot, meanwhile, is a dual-purpose tool implemented in VBScript for maintaining persistence and for executing malicious payloads from the C2 server. Microsoft says its analysis uncovered three versions of the malware, each one with slightly functionality.

GoldFinder, the third new tool that Microsoft uncovered, also is written in the Go language, like GoldMax. It's HTTP tracing function appears to have been designed to inform the threat actors of any points of discovery or points of logging of their malicious activities on a compromised network, Microsoft says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.