Microsoft identified three new strains of malware — GoldMax, GoldFinger and Sibot — which were used during targeted, late-stage attacks from the SolarWinds threat actor during August and September 2020. The malicious actors used the strains against a select number of compromised customer networks, the company said.
FireEye, which is working with Microsoft to investigate the malware strains, has identified a second-stage backdoor called Sunshuttle, which a FireEye spokesperson said is the same as the GoldMax strain. The new malware has been seen in less than five organizations, according to the spokesperson.
The Microsoft Threat Intelligence Center named Nobelium as the actor behind the SolarWinds attacks, a move that Microsoft says is designed to switch the focus from the victim of the attacks to the threat actor.
The newly discovered malware shines a light on the patience and sophistication displayed by the SolarWinds threat actor, according to researchers. It highlights the need for further intelligence sharing and transparency that industry executives and legislators have called for.
"Sunshuttle was observed alongside other advanced actor techniques and unique malware," Brandan Schondorfer, principal consultant at Mandiant, said via email. "The current findings suggest the usage of this malware and related activity are targeted in nature."
Microsoft said the capabilities found in this new malware differ from previously known tools and attack patterns. The threat actor has a deep understanding of how incident response teams work and the tools, deployments and security software used to defend organizations against attack, the company said.
The tools are new pieces of malware that are unique to this actor, Microsoft said through a spokesperson.
"They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on keyboard actions," Microsoft said through the spokesperson. "The newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise."
Microsoft said the threat actor has previously used stolen credentials to access cloud service, including email and storage and has also used compromised identities to gain access to computer networks. The newly discovered malware strains each had a specific role in gaining further access to targeted systems:
GoldMax, which is written in the Go open-source language, operates as a command-and-control backdoor for the threat actor, according to Microsoft. It uses various techniques to evade detection.
Sibot is a dual-purpose malware implemented in VBScript, which persists on an infected machine and then downloads and execute a payload from a remote C2 server.
GoldFinger, also written in Go, was likely used as a custom HTTP tracer tool, which logs the route that a packet uses to reach a hardcoded C2 server, according to Microsoft. When used on a compromised system.
Researchers had previously uncovered four separate malware strains related to the SolarWinds attack. Sunburst and Teardrop were uncovered back in December, during the first week after the attacks were disclosed. By January, CrowdStrike uncovered the Sunspot malware, and Symantec later identified Raindrop as a fourth malware strain.
The discovery of additional malware is another example of the sophistication of this threat actor and the desire to establish a beachhead and persist quietly in the environment, according to Jeff Barker, vice president of product marketing at Illusive.
The attacker still needs to harvest credentials, move laterally and escalate privilege to achieve the group's objectives, he said.
"Deception technology makes it extremely difficult, if not impossible, for the attacker to move laterally without detection," Barker said. "If they can't move without detection, they're not likely to achieve their objectives."
The attackers will also face challenges in terms of using automated tools without certain detection, according to Barker. He suggested organizations should not expect this activity to end any time soon and should take an "assume breach" posture with tools and processes put in place for a rapid response.