Many organizations are still trying to put together all of the puzzle pieces related to the SolarWinds supply chain cyberattack.
The threat actors behind the nation-state cyberattack aimed to compromise both government and private sector organizations.
Microsoft has said they observed the threat actor using both backdoor and other malware implants to establish sustained access to affected networks.
The Microsoft Threat Intelligence Center (MSTIC) has now come up with a name for the threat actor behind the SolarWinds attacks: Nobelium. And it revealed new information.
What is Nobelium?
Researchers attributed the Sunburst backdoor, Teardrop malware, and any related components of the SolarWinds attacks to Nobelium.
And through in-depth investigations, Microsoft was able to identify three new pieces of malware being used in late-stage activity by Nobelium: GoldMax, GoldFinder, and Sibot.
Here is what Microsoft said about its findings:
"Microsoft discovered these new attacker tools and capabilities in some compromised customer networks and observed them to be in use from August to September 2020. Further analysis has revealed these may have been on compromised systems as early as June 2020. These tools are new pieces of malware that are unique to this actor. They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions.
These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence."
Having established the threat actor's pattern of unique infrastructure, tooling for each target, and the operational value of maintaining their persistence on compromised networks, Microsoft believes there is more to learn and discover about the threat actor and their actions.
The new Nobelium malware
Maintaining persistence, or a way in, is critical for any threat actor after gaining illegal access to a network.
Nobelium accomplished this using stolen credentials to access cloud services like email and storage. It was also able to compromise identities and gain access to networks through VPNs and remote access tools.
Then the threat actor's malware variants maintained persistence and performed actions on very specific and targeted networks. It was even avoiding initial detection during incident response.
Microsoft says it discovered GoldMax persisting on networks as a scheduled task impersonating systems management software.
Here is what the company had to say about how GoldMax operates:
"Written in Go, GoldMax acts as command-and-control backdoor for the actor. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.
GoldMax establishes a secure session key with its C2 and uses that key to securely communicate with the C2, preventing non-GoldMax-initiated connections from receiving and identifying malicious traffic. The C2 can send commands to be launched for various operations, including native OS commands, via psuedo-randomly generated cookies. The hardcoded cookies are unique to each implant, appearing to be random strings but mapping to victims and operations on the actor side."
Microsoft has discovered Sibot to be a dual-purpose malware designed to achieve persistence on the compromised machine and then download and execute a payload from a remote C2 server.
"Sibot reaches out to a legitimate but compromised website to download a DLL to a folder under System32. In observed instances the DLL is downloaded to C:\windows\system32\drivers\, renamed with a .sys extension, and then executed by rundll32. The scheduled task calls an MSHTA application to run Sibot via the obfuscated script.
This simplistic implementation allows for a low footprint for the actor, as they can download and run new code without changes to the compromised endpoint by just updating the hosted DLL. The compromised website used to host the DLL is different for every compromised network and includes websites of medical device manufacturers and IT service providers."
GoldFinder is another tool written in Go. Microsoft thinks that it was most likely used as a custom HTTP tracer tool that logs the route, or hops, that a packet takes to reach a hardcoded C2 server.
Here is a brief paragraph of how Microsoft says the malware works:
"When launched, GoldFinder can identify all HTTP proxy servers and other redirectors such as network security devices that an HTTP request travels through inside and outside the network to reach the intended C2 server. When used on a compromised device, GoldFinder can be used to inform the actor of potential points of discovery or logging of their other actions, such as C2 communication with GoldMax."
For more information on Nobelium and these new malware variants, you can read Microsoft's blog, GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM's layered persistence.