• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

FireEye, Microsoft Detail Additional Malware Linked to SolarWinds Hack

Microsoft and FireEye are disclosing new details about the hackers behind the massive compromise of the SolarWinds Orion platform, including new tools.

March 4, 2021 Zachary Comeau Leave a Comment

FireEye Microsoft SolarWinds

Microsoft and FireEye are disclosing new details about the hackers behind the massive compromise of the SolarWinds Orion platform, including three new pieces of malware being used in late-stage activity by the group, which Microsoft is calling NOBELIUM.

According to both tech companies, the earliest known use of a newly discovered backdoor was in August 2020, but they may have been used on compromised systems as early as that June.

According to FireEye, the malware includes what it calls SUNSHUTTLE – a second-stage backdoor written in GoLang that features detection-evasion capabilities. FireEye says the malware was observed in the IT environment of a known victim of the SolarWinds-related attack, but could not fully verify the connection.

SUNSHUTTLE is written in GO, and reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution.

Notably, SUNSHUTTLE uses cookie headers to pass values to the C2, and if configured, can select referrers from a list of popular website URLs to help such network traffic “blend in.”

In a blog detailing and analyzing the malware, Microsoft said the tools are unique to NOBELIUM and are designed for specific networks.

They are introduced to the victim network after the actor has already gained access through compromised credentials or the SolarWinds binary and after moving laterally with other SolarWinds compromises and other hands-on-keyboard actions.

Read Next: Microsoft: SolarWinds Hackers Viewed, Downloaded Source Code for Azure, Intune, Exchange Components

As many other IT companies and cybersecurity experts have said, this threat actor is highly sophisticated and likely employs large teams of engineers to carry out these attacks. Microsoft reiterated those points in the blog, including the growing thought that there are other compromises and malware yet to be discovered.

These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams.

This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence.

With this actor’s established pattern of using unique infrastructure and tooling for each target, and the operational value of maintaining their persistence on compromised networks, it is likely that additional components will be discovered as our investigation into the actions of this threat actor continues.

Microsoft detailed two other pieces of malware, including a dual-purpose malware implemented in VBScript designed to achieve persistence on the infected machine and download and execute a payload from a remote C2 server.

Another tool, Microsoft says, was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.

Both were also written in Go, according to Microsoft.

For more detailed information, technical analysis and indicators of compromise, read the Microsoft and FireEye blogs.

Tagged With: Cybersecurity, FireEye, Microsoft, SolarWinds

Related Content:

  • Video Production, Enterprise IT Modernizing Video Applications in Enterprise Environments
  • Zero Trust, ZTNA, Syxsense Syxsense Unveils New Module for Zero Trust Compliance
  • Insider Risk, cyber risk, insurance, cybersecurity GlobalData GlobalData: Cybersecurity Revenue in Insurance Set to Grow…
  • This Week in IT, IT News This Week in IT: Google Meet, Cisco Attack,…

Free downloadable guide you may like:

  • Shadow ITBlueprint Series: How to Reduce Shadow IT

    The distributed work model gives employees the flexibility they demand, but it can lead to shadow IT and introduce unnecessary security risk. Research finds that this distributed work environment is leading to IT management blind spots and shadow IT.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Shadow IT
Blueprint Series: How to Reduce Shadow IT

The distributed work model gives employees the flexibility they demand, but it can lead to shadow IT and introduce unnecessary security risk. Resea...

Hybrid Work webinar
Featured Webcast: Collaboration 2.0 — Where Are We Now?

In this webinar, subject matter experts discuss the transformation of the workplace, the rise of hybrid workers, the importance of open connectivit...

guide to end user training cover
Pro Tips for Conducting End User Training

Effective trainings are the glue that can make the difference following a new technology implementation that your team has spent so much time, effo...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2022 Emerald X, LLC. All rights reserved.