Researchers with Microsoft and FireEye found three new malware families, which they said are used by the threat group behind the SolarWinds attack.
Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack.
Researchers with Microsoft and FireEye identified three new pieces of malware that the companies said are being used in late-stage activity by the threat actor (previously called Solarigate by Microsoft and now renamed Nobelium; and called UNC2542 by FireEye).
The malware families include: A backdoor that’s called GoldMax by Microsoft and called Sunshuttle by FireEye; a dual-purpose malware called Sibot discovered by Microsoft; and a malware called GoldFinder also found by Microsoft.
Adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a sprawling cyberespionage campaign that has hit the U.S. government, tech companies and others hard.
Microsoft said that it discovered these latest custom attacker tools lurking in some networks of customer compromised by the SolarWinds attackers. It observed them to be in use from August to September – however, researchers said further analysis revealed these may have been on compromised systems as early as last June.
“These tools are new pieces of malware that are unique to this actor,” said Ramin Nafisi and Andrea Lelli with Microsoft, in a posting on Thursday. “They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary, and after moving laterally with Teardrop and other hands-on-keyboard actions.”
Researchers with both FireEye and Microsoft ran across the malware called GoldMax/Sunshuttle, and published analyses about it in joint releases. FireEye researchers said the malware’s infection vector is unknown and that it is likely a second-stage backdoor dropped after an initial compromise on the system. The backdoor was uploaded by a U.S.-based entity to a public malware repository in August.
Most notable about GoldMax/Sunshuttle is the fact that it can select referrers from a list of popular website URLs (including Bing.com, Yahoo.com, Facebook.com and Google.com) to help its network traffic “blend in” with legitimate traffic — providing a stealthy way to bypass detection.
“The new Sunshuttle backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection-evasion techniques via its ‘blend-in’ traffic capabilities for command-and-control (C2) communications,” said researchers with FireEye, in a release on Thursday. “Sunshuttle would function as second-stage backdoor in such a compromise for conducting network reconnaissance alongside other Sunburst-related tools.”
Upon execution, the backdoor, written in the Go programming language, first enumerates the victim’s MAC address and compares it to a hardcoded MAC address value, which researchers say is likely a default MAC address for the Windows sandbox network adaptor. If a match is found, the backdoor exits. If not, it determines the configuration settings for the system and then requests and retrieves a “session key” for the C2 server.
“Analysis is ongoing on how the decrypted session key is used, but it is likely a session key used to encrypt content once Sunshuttle transitions to its command-and-control routines,” said researchers.
Once a session key is retrieved from the C2, the malware issues a beacon that retrieves commands, and then parses the response content to determine which command should be run. The commands from the C2 include remotely updating its configuration, uploading and downloading files, and arbitrary command execution.
Microsoft researchers also found another malware family called Sibot, designed to achieve persistence on infected machines before downloading and executing a payload from the C2 server.
Sibot is implemented in VBScript, the Active Scripting language developed by Microsoft that is modeled on Visual Basic. Researchers said that the malware’s VBScript file is given a name mimicking a legitimate Windows task, which is either stored in the registry of the compromised system or in an obfuscated format on disk. It is then run via a scheduled task.
“The scheduled task calls an MSHTA application to run Sibot via the obfuscated script,” said the researchers, who found three variants of the malware. “This simplistic implementation allows for a low footprint for the actor, as they can download and run new code without changes to the compromised endpoint by just updating the hosted DLL.”
A second-stage script is then called to download and run a payload from the remote C2 server.
Finally, researchers with Microsoft uncovered a new tool also written in Golang, called GoldFinder. They said that GoldFinder is likely used as a “custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.”
“When launched, GoldFinder can identify all HTTP proxy servers and other redirectors such as network security devices that an HTTP request travels through inside and outside the network to reach the intended C2 server,” said researchers. “When used on a compromised device, GoldFinder can be used to inform the actor of potential points of discovery or logging of their other actions, such as C2 communication with GoldMax.”
Other SolarWinds Malware
The uncovering of these three malware families provides another puzzle piece in better understanding the sprawling SolarWinds espionage attack. The campaign is known to have affected various federal departments, Microsoft, FireEye and dozens of others so far.
Other unique malware has been connected to the SolarWinds attack. In addition to Sunburst, which is the malware used as the tip of the spear in the campaign, researchers in January unmasked additional pieces of malware, dubbed Raindrop and Teardrop, that were used in targeted attacks after the effort’s initial mass Sunburst compromise.