Skip to main content
close search
site logo
Dive Brief

3 new malware strains show persistence, sophistication of SolarWinds actor

Published March 5, 2021
David Jones's headshot
Reporter
Getty

Dive Brief:

  • Microsoft identified three new strains of malware — GoldMax, GoldFinger and Sibot — which were used during targeted, late-stage attacks from the SolarWinds threat actor during August and September 2020. The malicious actors used the strains against a select number of compromised customer networks, the company said.  

  • FireEye, which is working with Microsoft to investigate the malware strains, has identified a second-stage backdoor called Sunshuttle, which a FireEye spokesperson said is the same as the GoldMax strain. The new malware has been seen in less than five organizations, according to the spokesperson. 

  • The Microsoft Threat Intelligence Center named Nobelium as the actor behind the SolarWinds attacks, a move that Microsoft says is designed to switch the focus from the victim of the attacks to the threat actor.

Dive Insight:

The newly discovered malware shines a light on the patience and sophistication displayed by the SolarWinds threat actor, according to researchers. It highlights the need for further intelligence sharing and transparency that industry executives and legislators have called for.

"Sunshuttle was observed alongside other advanced actor techniques and unique malware," Brandan Schondorfer, principal consultant at Mandiant, said via email. "The current findings suggest the usage of this malware and related activity are targeted in nature."

Microsoft said the capabilities found in this new malware differ from previously known tools and attack patterns. The threat actor has a deep understanding of how incident response teams work and the tools, deployments and security software used to defend organizations against attack, the company said. 

The tools are new pieces of malware that are unique to this actor, Microsoft said through a spokesperson. 

"They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on keyboard actions," Microsoft said through the spokesperson. "The newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise."

Microsoft said the threat actor has previously used stolen credentials to access cloud service, including email and storage and has also used compromised identities to gain access to computer networks. The newly discovered malware strains each had a specific role in gaining further access to targeted systems: 

  • GoldMax, which is written in the Go open-source language, operates as a command-and-control backdoor for the threat actor, according to Microsoft. It uses various techniques to evade detection. 

  • Sibot is a dual-purpose malware implemented in VBScript, which persists on an infected machine and then downloads and execute a payload from a remote C2 server. 

  • GoldFinger, also written in Go, was likely used as a custom HTTP tracer tool, which logs the route that a packet uses to reach a hardcoded C2 server, according to Microsoft. When used on a compromised system.

Researchers had previously uncovered four separate malware strains related to the SolarWinds attack. Sunburst and Teardrop were uncovered back in December, during the first week after the attacks were disclosed. By January, CrowdStrike uncovered the Sunspot malware, and Symantec later identified Raindrop as a fourth malware strain.

The discovery of additional malware is another example of the sophistication of this threat actor and the desire to establish a beachhead and persist quietly in the environment, according to Jeff Barker, vice president of product marketing at Illusive. 

The attacker still needs to harvest credentials, move laterally and escalate privilege to achieve the group's objectives, he said.

"Deception technology makes it extremely difficult, if not impossible, for the attacker to move laterally without detection," Barker said. "If they can't move without detection, they're not likely to achieve their objectives."

The attackers will also face challenges in terms of using automated tools without certain detection, according to Barker. He suggested organizations should not expect this activity to end any time soon and should take an "assume breach" posture with tools and processes put in place for a rapid response.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell