Like the proverbial layers of an onion, researchers investigating the breach at SolarWinds and the numerous related network intrusions that resulted from it have kept discovering new facets to the attack the more they've peeled away at it.
The latest is Microsoft, which Thursday disclosed that it has uncovered three more malware tools that the attackers used in their campaign to spy on and steal data from government agencies and some of the largest companies in the world.
In a new report, Microsoft describes the three new tools as late-stage malware that the attackers appear to have used once they had already established a relatively firm foothold on victim networks. The company identifies the tools as GoldMax, a command-and-control (C2) backdoor for the attackers; Sibot, a tool for maintaining persistence on a breached network; and GoldFinder, a HTTP tracer tool for logging the route a packet takes to reach a C2 server. Each of the tools were tailor-made for use on specific networks, which is in keeping with the attacker's practice of using unique malware and infrastructure for each victim, Microsoft says.
In a simultaneous report, FireEye says it, too, has discovered the second-stage GoldMax backdoor targeting a US-based entity. The security vendor, however, is calling the backdoor SUNSHUTTLE.
Microsoft researchers discovered the new tools on customer networks that had been compromised via SolarWinds or through other means. According to the company, its analysis showed the tools had been present on some networks as early as June 2020. The SolarWinds breach itself — and the broader campaign that it was part of — was not discovered until months later, in December 2020.
"These tools are new pieces of malware that are unique to this actor," members of Microsoft threat intelligence and security team say in the report. "They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary." The tools appear to be designed for use after the attackers had already moved laterally on a compromised network and after they had carried out what is known as hands-on-keyboard actions on it, Microsoft says.
The company has formally named the group it believes is behind the whole campaign NOBELIUM. Most others that have been tracking the threat, such as FireEye, are currently still tracking the group as an unknown entity. FireEye has been tracking the activity so far as UNC2542.
FireEye says its Mandiant threat intelligence group had discovered SUNSHUTTLE (aka GoldMax) when a US-based entity uploaded it to a public malware repository. "Someone uploaded a file to a malware repository and the metadata on the upload suggests it was from the US," says Ben Read, senior manager of analysis at Mandiant Threat Intelligence. "We don't have anything else to share on the uploader."
The attack on SolarWinds — believed to have been initiated sometime late 2019 — is widely regarded as one of the most significant cyber breaches in recent memory, both for its sophistication and its targeting. Many, including the US government, have said the attack was the work of a highly skilled, well-resourced state-backed group operating out of Russia. But vendors investigating the breach have so far said they have not been able to pin the attacks with certainty on any country.
The attack involved the threat actors gaining access to SolarWinds' software development process and injecting a poisoned binary — called SUNBURST — into legitimate signed updates of the company's Orion network management software. The poisoned updates were distributed undetected to thousands of SolarWinds customers over a period of several months before the attackers themselves quietly removed the malware from the SolarWinds updates. Some 18,000 customers received the poisoned updates, but only a small handful of them appeared to have been of interest to the attacker. On these networks, the attacker used the SUNBURST backdoor to deploy a second-stage memory-only malware tool called Teardrop, which in turn was to deploy the Cobalt Strike attack kit. The attackers used those tools and other mechanisms to move laterally on breached networks and maintain persistence.
Researchers later discovered that the same attackers had used means other than the SolarWinds software updates to access networks. Some of these methods included credential theft and password-guessing and password-spraying attacks. On networks breached this way, the attackers installed a different second-stage payload called Raindrop — which, like Teardrop, was used to download additional malware tools.
Growing List of Malware Tools
This week's disclosures from Microsoft and FireEye add to the growing list of tools that researchers are discovering were used in the campaign.
Microsoft described GoldMax as written in the Go programming language and being used for encrypted C2 communications. Like all other malware tools used in the SolarWinds campaign, GoldMax also uses several different techniques to hide itself on networks and avoid detection. One of them was a mechanism that to generate decoy traffic so malicious traffic would be surrounded by seemingly benign traffic. The C2 domains themselves were high-reputation domains of the sort unlikely to be flagged by security products for being too new or too freshly registered.
In its report, FireEye describes GoldMax/SUNSHUTTLE as a sophisticated backdoor with "straightforward but elegant" detection-evasion techniques. "It's a separate tool that would be used in different circumstances," says Brandan Schondorfer, principal consultant at Mandiant Threat Intelligence. "SUNSHUTTLE and further activity extend our understanding of the breadth of [the threat actor's] capabilities and access to extensive tooling," he says.
Sibot, meanwhile, is a dual-purpose tool implemented in VBScript for maintaining persistence and for executing malicious payloads from the C2 server. Microsoft says its analysis uncovered three versions of the malware, each one with slightly functionality.
GoldFinder, the third new tool that Microsoft uncovered, also is written in the Go language, like GoldMax. It's HTTP tracing function appears to have been designed to inform the threat actors of any points of discovery or points of logging of their malicious activities on a compromised network, Microsoft says.