Microsoft and FireEye are disclosing new details about the hackers behind the massive compromise of the SolarWinds Orion platform, including three new pieces of malware being used in late-stage activity by the group, which Microsoft is calling NOBELIUM.
According to both tech companies, the earliest known use of a newly discovered backdoor was in August 2020, but they may have been used on compromised systems as early as that June.
According to FireEye, the malware includes what it calls SUNSHUTTLE – a second-stage backdoor written in GoLang that features detection-evasion capabilities. FireEye says the malware was observed in the IT environment of a known victim of the SolarWinds-related attack, but could not fully verify the connection.
SUNSHUTTLE is written in GO, and reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution.
Notably, SUNSHUTTLE uses cookie headers to pass values to the C2, and if configured, can select referrers from a list of popular website URLs to help such network traffic “blend in.”
In a blog detailing and analyzing the malware, Microsoft said the tools are unique to NOBELIUM and are designed for specific networks.
They are introduced to the victim network after the actor has already gained access through compromised credentials or the SolarWinds binary and after moving laterally with other SolarWinds compromises and other hands-on-keyboard actions.
As many other IT companies and cybersecurity experts have said, this threat actor is highly sophisticated and likely employs large teams of engineers to carry out these attacks. Microsoft reiterated those points in the blog, including the growing thought that there are other compromises and malware yet to be discovered.
These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams.
This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.
With this actor’s established pattern of using unique infrastructure and tooling for each target, and the operational value of maintaining their persistence on compromised networks, it is likely that additional components will be discovered as our investigation into the actions of this threat actor continues.
Microsoft detailed two other pieces of malware, including a dual-purpose malware implemented in VBScript designed to achieve persistence on the infected machine and download and execute a payload from a remote C2 server.
Another tool, Microsoft says, was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.
Both were also written in Go, according to Microsoft.