Researchers Disclose More Malware Used in SolarWinds AttackMicrosoft, FireEye Find Additional Payloads Used During Supply Chain Attack
See Also: Automating Security Operations
The newly discovered malware appears to be second-stage payloads deployed by the hacking group after victimized organizations downloaded a Trojanized software update to SolarWind's Orion network monitoring platform, which contained a backdoor dubbed "Sunburst," the reports note. While about 18,000 of the company's customers downloaded the compromised software update, the attackers only deployed additional malware against certain organizations.
Both Microsoft and FireEye found these newly discovered second-stage malware variants were likely deployed in the later stages of the supply chain attack, most likely around August or September 2020. The attackers appear to have first compromised the SolarWinds network in September 2019 and then inserted the Sunburst backdoor in the software update between March and June 2020, according to earlier reports analyzing the attack (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
In the reports released Thursday, both Microsoft and FireEye note that these newly uncovered malware variants likely served as malicious payloads to connect and communicate with command-and-control servers and helped the attackers maintain persistence within the compromised networks and devices.
"Microsoft assesses that the newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise, even evading initial detection during incident response," according to the analysis published by researchers Ramin Nafisi and Andrea Lelli.
In their report, FireEye researchers Lindsay Smith, Jonathan Leathery and Ben Read note that the second-stage malware that their team discovered, which they call "Sunshuttle," appears connected to the hacking group that targeted SolarWinds, but the analysts have not fully verified this connection as of now.
FireEye first disclosed in December 2020 the attack that targeted SolarWinds and its Orion products after the security firm was targeted by the same hacking group. The hackers appear to have targeted nine U.S. government agencies and about 100 private sector firms for follow-on attacks (see: White House Preparing 'Executive Action' After SolarWinds Attack).
The attacks have so far led to two public congressional hearings on the incident, and additional hearings are expected (see: Senate SolarWinds Hearing: 4 Key Issues Raised).
In addition to disclosing the second-stage malware used in the attack, Microsoft says it will now track the hacking group responsible for the attack as "Nobelium." Other security firms have their own names for the hackers. For example, FireEye calls the threat group UNC2542, and CrowdStrike tracks the hackers under the name "StellarParticle."
An initial analysis by the U.S. government agencies investigating the SolarWinds attack found that the hacking group is likely connected to Russia and appears intent on cyberespionage. At the two congressional hearings that took place last month, Microsoft President Brad Smith and other executives testified that the hackers were likely Russian, although no one would firmly attribute the attack to that country's government (see: Senators Grill Cybersecurity Execs on SolarWinds Attack).
In its report from Thursday, Microsoft noted that while the newly disclosed malware differs from the other tools and techniques Nobelium used, the malicious code continues to highlight the hackers' level of sophistication.
"In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams," the Microsoft report notes. "This knowledge is reflected in the actor's operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence."
In their analysis, the Microsoft researchers describe three additional secondary payloads deployed by the SolarWinds hackers. These include:
- GoldMax: This malware acts as a command-and-control backdoor for the attackers and is written in the Go programming language. The Microsoft researchers found this malware variant persisting on networks as a scheduled task impersonating a systems management software. Once deployed, GoldMax established a secure session key with a command-and-control server and used the session key to securely communicate with the attackers, which prevented non-GoldMax-initiated connections from receiving and identifying malicious traffic. This malware also can deploy decoy network traffic to allow the malicious code and its communications to blend into normal network traffic.
- Sibot: The Microsoft researchers describe this payload as dual-purpose malware implemented in VBScript. It is designed to create persistence on an infected device and then download and execute additional payloads from a command-and-control server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the compromised system's registry or in an obfuscated format on disk. The researchers found at least three specific variants of Sibot.
- GoldFinder: Like GoldMax, GoldFinder is written in Go and was likely deployed by the hackers as a custom HTTP tracer tool that could help locate security tools, such as proxy servers and other redirectors, within a targeted network that might have discovered messages being sent to the command-and-control servers.
Besides the malware uncovered by Microsoft, FireEye released details about secondary malware that it calls Sunshuttle.
Like GoldMax and GoldFinder, Sunshuttle is written in Go, and this second-stage backdoor is equipped with some detection evasion capabilities, according to the report. The malicious code appears to have been uploaded to a malware repository by a U.S.-based entity in August 2020.
The FireEye analysts note that Sunshuttle reads an embedded or local configuration file, communicates with a hard-coded command-and-control server over HTTPS and supports commands including the remote uploading of its configuration, file uploads and downloads, and arbitrary command execution.
"The new Sunshuttle backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its 'blend-in' traffic capabilities for C2 communications," according to FireEye. "Sunshuttle would function as a second-stage backdoor in such a compromise for conducting network reconnaissance alongside other Sunburst-related tools."
Neither Microsoft nor FireEye made specific direct connections between malware variants disclosed Thursday, although GoldMax and Sunshuttle appear to have similar characteristics and are both written in Go.