Researchers Identify More Malware Used By SolarWinds Hack Group

Microsoft and security firm FireEye have identified three new pieces of custom-made malware used by the attackers behind last year’s wide-ranging SolarWinds hacking campaign.

Microsoft said the newly identified hacking tools showed the hacking group’s sophistication, to the point that they evaded detection even during the initial phases of the response to the SolarWinds hack.

The attack group, which Microsoft calls Nobellium and FireEye calls UNC2542, is backed by the Russian government, according to US intelligence officials. Russia denies involvement.

The group infiltrated companies and US government departments via code planted inside SolarWinds’ Orion network management platform last year.

Custom-made malware

But Microsoft said in an analysis that Nobellium was also found to have attacked companies through other means, such as the use of stolen credentials.

The three new malware tools were custom-made for particular organisations’ networks, and were meant to be deployed after those organisations had already been successfully infiltrated, Microsoft and FireEye said.

They were used by Nobellium to maintain its persistence on the network and perform actions such as carrying out commands retrieved from a remote command-and-control server.

“In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams,” Microsoft said in its analysis.

Persistence

“This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.”

Given the group’s use of custom-made tools, Microsoft said it is “likely” that additional components would be discovered as investigation work continues.

Microsoft and FireEye, both of which were compromised by Nobellium via the SolarWinds hack, are working together on the investigation.

The first malware tool, called GoldMax by Microsoft and Sunshuttle by FireEye, appears to be a second-stage backdoor dropped after a successful initial compromise, Microsoft said.

The tool is notable for selecting referrers from website URLs with a high level of perceived trust in order to make its communications with the C2 server appear legitimate.

Concealment

A second tool called Sibot is designed to achieve persistence on a network before downloading and executing a payload from a remote server.

Written in VBScript, the tool is given a name that makes it appear to be a legitimate Windows task, in order to evade detection.

The third tool, called GoldFinder, appears to be a custom HTTP tracer tool that logs communications with the command server in order to help the attackers conceal their presence, Microsoft said.

Microsoft’s analysis of the newly identified malware is available here, and FireEye’s analysis is here.