Friday, July 23, 2021

Microsoft Researchers reveals 3 New Malware Strains Used by SolarWinds Hackers

Must Read

North Korean hackers launch RokRat Trojan campaigns against the South Korean government

A North Korean hacking team is using the RokRat Trojan in a new wave of campaigns against the South...

Amnesia:33 vulnerabilities Impact Countless Industrial and Smart Devices

Security researchers have identified 33 security defects in four accessible TCP/IP piles used across a broad selection of intelligent...

This ransomware is growing in Strength and May become a threat researchers warn

Ransomware that necessitates millions of dollars from sufferers and has been updated with new attributes could develop into another...

Microsoft has revealed information on newly found malware the SolarWinds hackers deployed on victims’ networks as second-stage payloads.

FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a “sophisticated second-stage backdoor,” as the investigation into the sprawling espionage campaign continues to yield fresh clues about the threat actor’s tactics and techniques.

Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as Sunspot, Sunburst (or Solorigate), Teardrop, and Raindrop that were stealthily delivered to enterprise networks by alleged Russian operatives.

Microsoft has named the threat actors Nobelium, continuing its tradition of naming notable nation-state hacking groups after chemical elements, such as Russia’s Strontium, China’s Barium, Iran’s Phosphorus, and North Korea’s Thallium. 

“These tools are new pieces of malware that are unique to this actor,” Microsoft said. “They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions.”

According to Microsoft, these malware strains come with the following capabilities:

  • GoldMax: Go-based malware used as a command-and-control backdoor for hiding malicious activity and evading detection. It also has a decoy network traffic generator for concealing malicious network traffic with seemingly benign traffic.
  • Sibot: VBScript-based malware used for maintaining persistence and downloading additional malware payloads using a second-stage script
  • GoldFinder: Go-based malware “most likely” used as a custom HTTP tracer tool for detecting servers and redirectors like network security devices between the infected devices and C2 server.

As part of the broader Russia-backed hacking campaign, some of the cybersecurity companies were compromised via SolarWinds’ tainted Orion update, such as Microsoft, but this wasn’t the only way the hackers infiltrated systems; as many as 30% of the organizations breached had no direct link to Solar Winds and were attacked by other means.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This