Microsoft has disclosed more malware that was used by the suspected Russian-government-backed hackers who planted malware in software from US software vendor SolarWinds.
Microsoft has named the threat actors as Nobelium, continuing its tradition of naming notable nation-state hacking groups after chemical elements, such as Russia’s Strontium, China’s Barium, Iran’s Phosphorus, and North Korea’s Thallium.
Until now, Microsoft and security vendor FireEye had identified Sunburst (which Microsoft called Solorigate) and Teardrop malware. In January, security firm CrowdStrike found Sunspot, a piece of software dedicated to monitoring the build server for build commands that assembled Orion.
Orion is the SolarWinds network monitoring software that Nobelium attackers used to broadly distribute the Sunburst backdoor to 18,000 organizations throughout 2020, prior to cherrypicking nine US federal agencies and about 100 US companies to actually compromise and steal information from, according to the White House‘s investigation.
Microsoft has now disclosed three new malware components used by the Nobelium hackers: GoldMax, GoldFinder, and Sibot. FireEye calls the group UNC2452 has called the newly discovered malware Sunshuttle.
GoldMax is considered by Microsoft as an implant that serves as a command-and-control (C2) backdoor. The backdoor was written in Google’s popular system programming language, Go.
FireEye said it does not know how this malware is installed but guesses it is a second-stage backdoor that’s dropped after an initial compromise. The company described the design of Sunshuttle as “sophisticated” and “elegant”.
“The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its “blend-in” traffic capabilities for C2 communications,” FireEye notes in its analysis.
GoldMax is used to exclusively communicate with the attacker’s C2 and relied on resold domains with high reputations that were built over time. This choice of domains helped GoldMax avoid setting off alarms in most security products that looked at reputation scores in this way, according to Microsoft.
“The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running,” explains Microsoft.
“GoldMax establishes a secure session key with its C2 and uses that key to securely communicate with the C2, preventing non-GoldMax-initiated connections from receiving and identifying malicious traffic.”
Sibot, built with Microsoft’s Visual Basic Scripting (VBScript), is a dual-purpose malware, according to Microsoft.
“The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task,” Microsoft notes.
Its main goal was persistence on an infected machine so that it could download and execute a payload from a remote C2 server. Microsoft has identified three variants of Sibot that all download a malicious payload.
GoldFinder, which is also written in Go, is thought to be a custom HTTP trace tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.
As part of the broader Russia-backed hacking campaign, some of the cyber security companies were compromised via SolarWinds’ tainted Orion update, such as Microsoft, but this wasn’t the only way the hackers infiltrated systems; as many as 30% of the organisations breached had no direct link to Solar Winds and were attacked by other means.