Thursday, October 21, 2021

Microsoft Researchers reveals 3 New Malware Strains Used by SolarWinds Hackers

Must Read

FonixCrypter ransomware Shut down and releases the master decryption key

The FonixCrypter team said it was closed and removed their ransomware source code.The cybercriminal team behind FonixCrypter ransomware announced...

IBM And Tanium Collaborates For Security Compliance for Hybrid Cloud

Tanium’s endpoint management and security platform allows customers to continuously evaluate, update, and to create a security and compliance...

Google Chrome blocks eight ports against new NAT Slipstreaming attack

Following the discovery of the NAT Slipstreaming 2.0 attack this week, Google says it will block Chrome traffic on...

Microsoft has revealed information on newly found malware the SolarWinds hackers deployed on victims’ networks as second-stage payloads.

FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a “sophisticated second-stage backdoor,” as the investigation into the sprawling espionage campaign continues to yield fresh clues about the threat actor’s tactics and techniques.

Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as Sunspot, Sunburst (or Solorigate), Teardrop, and Raindrop that were stealthily delivered to enterprise networks by alleged Russian operatives.

Microsoft has named the threat actors Nobelium, continuing its tradition of naming notable nation-state hacking groups after chemical elements, such as Russia’s Strontium, China’s Barium, Iran’s Phosphorus, and North Korea’s Thallium. 

“These tools are new pieces of malware that are unique to this actor,” Microsoft said. “They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions.”

According to Microsoft, these malware strains come with the following capabilities:

  • GoldMax: Go-based malware used as a command-and-control backdoor for hiding malicious activity and evading detection. It also has a decoy network traffic generator for concealing malicious network traffic with seemingly benign traffic.
  • Sibot: VBScript-based malware used for maintaining persistence and downloading additional malware payloads using a second-stage script
  • GoldFinder: Go-based malware “most likely” used as a custom HTTP tracer tool for detecting servers and redirectors like network security devices between the infected devices and C2 server.

As part of the broader Russia-backed hacking campaign, some of the cybersecurity companies were compromised via SolarWinds’ tainted Orion update, such as Microsoft, but this wasn’t the only way the hackers infiltrated systems; as many as 30% of the organizations breached had no direct link to Solar Winds and were attacked by other means.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This