Microsoft has revealed information on newly found malware the SolarWinds hackers deployed on victims’ networks as second-stage payloads.
FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a “sophisticated second-stage backdoor,” as the investigation into the sprawling espionage campaign continues to yield fresh clues about the threat actor’s tactics and techniques.
Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as Sunspot, Sunburst (or Solorigate), Teardrop, and Raindrop that were stealthily delivered to enterprise networks by alleged Russian operatives.
Microsoft has named the threat actors Nobelium, continuing its tradition of naming notable nation-state hacking groups after chemical elements, such as Russia’s Strontium, China’s Barium, Iran’s Phosphorus, and North Korea’s Thallium.
“These tools are new pieces of malware that are unique to this actor,” Microsoft said. “They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions.”
According to Microsoft, these malware strains come with the following capabilities:
- GoldMax: Go-based malware used as a command-and-control backdoor for hiding malicious activity and evading detection. It also has a decoy network traffic generator for concealing malicious network traffic with seemingly benign traffic.
- Sibot: VBScript-based malware used for maintaining persistence and downloading additional malware payloads using a second-stage script
- GoldFinder: Go-based malware “most likely” used as a custom HTTP tracer tool for detecting servers and redirectors like network security devices between the infected devices and C2 server.
As part of the broader Russia-backed hacking campaign, some of the cybersecurity companies were compromised via SolarWinds’ tainted Orion update, such as Microsoft, but this wasn’t the only way the hackers infiltrated systems; as many as 30% of the organizations breached had no direct link to Solar Winds and were attacked by other means.