New reports from FireEye and Microsoft add more depth to the ongoing investigation into the compromise by a threat actor of the SolarWinds Orion security update system and intrusions into Orion customers, as well as breaches of other organizations using different means.
In a report released Thursday, Microsoft said it had identified three new pieces of malware used by this threat actor, which it now calls Nobelium. FireEye calls it UNC2452, Crowdstrike calls the actor StellarParticle, Palo Alto Networks dubs it SolarStorm (Palo Alto Unit 42) Veloxity calls it Dark Halo. Whatever the name, the U.S. government believes this threat actor is likely Russian and presumed to be backed by a nation-state.
Microsoft says these new attacker tools and capabilities were found in its customers’ compromised networks, possibly as early as June 2020. “These tools are new pieces of malware that are unique to this actor,” the report says. “They are tailor-made for specific networks.”
Microsoft adds it was introduced after Nobelium had gained access through compromised credentials or following an Orion installation that compromised systems with a backdoor dubbed Teardrop.
The three new pieces of malware are:
- GoldMax, written in the Go language, a command and control backdoor that functions as a scheduled task manager. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.
- Sibot is a dual-purpose malware implemented in VBScript, designed to achieve persistence on the infected machine then downloads from a legitimate but compromised website a malicious DLL. The compromised website used to host the DLL is different for every compromised network. Some are websites of medical device manufacturers and IT service providers.
- GoldFinder, also written in Go, was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. When used on a compromised device, GoldFinder informs the threat actor of potential points of discovery or logging of their other actions, such as C2 communication with GoldMax.
These new tools are more examples of the threat actor’s sophistication, says Microsoft. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.
Researchers flag fourth piece of malware in SolarWinds attack
Wait, there’s more!
In its report, FireEye’s Mandian threat intelligence division identified another backdoor created by this threat actor, which it dubs Sunshuttle. It was uploaded to a public malware repository in August 2020. Written in GoLang, it communicates with a hard-coded command and control (C2) server over HTTPS and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution.
“Notably, Sunshuttle uses cookie headers to pass values to the C2,” FireEye explained, adding if configured, Sunshuttle can select referrers from a list of popular website URLs to help such network traffic “blend in.”
The new Sunshuttle backdoor “is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its ‘blend-in’ traffic capabilities for C2 communications,” the report concluded. Sunshuttle would function as a second-stage backdoor in such a compromise to conduct network reconnaissance alongside other tools FireEye calls Sunburst.
Mandiant has seen Sunshuttle in an organization’s systems compromised by UNC2452 and have indications that it is linked to UNC2452. However, Mandiant hasn’t fully verified this connection.