Microsoft discovered 3 more traces of malware used by Solar Winds Attackers

microsoft-discovered-3-pieces-of-solarwinds-malware

Microsoft has recently uncovered more details on recently found pieces of malware traces that was used by suspected Solar Winds attackers, that affected thousands of organization back in 2020 which were using Solar Wind’s Orion Platform for network monitoring.

After the SunBurst(The Solar Winds attack) 4th strain of malware that was used in the breach, called Teardrop was the recent identification by Microsoft and the cyber security vendor, FireEye.

The 2020 Solar Winds Attack

The Solar Winds attack targeted Orion, which is a network monitoring software offered by Solar Winds. In this attack the attacker group, mainly classified as Nobelium, exploit FireEye and steal the red team simulation and somehow patch a backdoor through a malicious DLL File in the Orion software update delivery, creating sunburst backdoor to compromise nearly 18,000 organization which were using the Orion tool.

Microsoft detects 3 pieces of malware

Investigating the same, Microsoft’s Threat Intelligence Center has disclosed 3 more components of malware which was used by the Nobelium Attackers, which are: GoldFinder, GoldMax and Sibot.

GoldMax

Through Microsoft’s consideration, GoldMax is an implantation program that serves as c2(command-and-control) backdoor which was written in ‘Go’ programming language.

There is no confirmation from FireEye that how it got installed but they suspect it’s probably a stage-2 backdoor which was installed after the first compromise. This backdoor is called Sunshuttle.

It’s a sophisticated stage-2 backdoor exploit. The malware writes an encrypted config file on to the disk with AES-256 unique cypher keys which are different per implant and it is based on the information about the network and environmental variables.

This sophisticated piece of malware mainly relied on resold domains and it communicated with attacker’s c2. GoldMax establish secure session with it’s c2 and communicates with the c2 which prevents non-GoldMax-initiated connections from identifying the malicious behavior.

GoldFinder

The second malware piece discovered is the GoldFinder. GoldFinder is also written in Go Programming language. It is guessed to be a HTTP tracer that traces and logs the network route that a packet goes through to reach the c2 server.

Sibot

Coming to the last malware piece, Sibot is written using Microsoft’s Visual Basic Scripting which acted as a dual purpose malware, as said by Microsoft.

The file name given to the scripted Sibot malware truly impersonates Windows task and is stored in the registry of the compromised system or on the disk in an unclear format. It is run through a already scheduled task.

How did Solar Winds Attack Happen

Through this 2020’s Solar Winds attack nearly 18,000 businesses and organization fell victim to the Solar Wind compromised Orion update where a DLL backdoor was patched with the Orion update, which was pushed in March 2020 and it went undetected for about 6-7 months where as of end of 2020, most of the them did the update and the systems got infected.

But this isn’t the whole story even many of the organization which could be making up to 30% were attacked that had no direct link with Solar Winds. It was the attack which compromised most of the fortune 500 companies.

Here is a detailed video that explains the whole story behind the Solar Burst Attack and how it was carried out with the consequences it left behind.

Via: ZDNet

Recent in Gaming:

Default image
Vivek
Founder of Geeky Gene who loves to share articles related to the IT and cybersecurity industry and remain up to date with his knowledge.

Leave a Reply