New Malware Used By SolarWinds Attackers Went Undetected For Years

 

The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years.

According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light.

Nobelium, the Microsoft-assigned moniker for the SolarWinds intrusion in December 2020, is also tracked by the wider cybersecurity community under the names UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).

The malicious activities have since been attributed to a Russian state-sponsored actor called APT29 (also known as The Dukes and Cozy Bear), a cyber espionage operation associated with the country's Foreign Intelligence Service that's known to be active since at least 2008.

GoldMax (aka SUNSHUTTLE), which was discovered by Microsoft and FireEye (now Mandiant) in March 2021, is a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with a remote server to execute arbitrary commands on the compromised machine.

Mandiant also pointed out that Dark Halo actors had used the malware in attacks going back to at least August 2020, or four months before SolarWinds discovered its Orion updates had been tampered with malware designed to drop post-compromise implants against thousands of its customers.

In September 2021, Kaspersky revealed details of a second variant of the GoldMax backdoor called Tomiris that was deployed against several government organizations in an unnamed CIS member state in December 2020 and January 2021.

The latest iteration is a previously undocumented but functionally identical Linux implementation of the second-stage malware that was installed in victim environments in mid-2019, predating all other identified samples built for the Windows platform to date.

Also delivered around the same timeframe was TrailBlazer, a modular backdoor that offers attackers a path to cyber espionage, while sharing commonalities with GoldMax in the way it masquerades its command-and-control (C2) traffic as legitimate Google Notifications HTTP requests.

Other uncommon channels used by the actor to facilitate the attacks include —

• Credential hopping for obscuring lateral movement
• Office 365 (O365) Service Principal and Application hijacking, impersonation, and manipulation, and
• Theft of browser cookies for bypassing multi-factor authentication

Additionally, the operators carried out multiple instances of domain credential theft months apart, each time leveraging a different technique, one among them being the use of Mimikatz password stealer in-memory, from an already compromised host to ensure access for extended periods of time.

"The StellarParticle campaign, associated with the Cozy Bear adversary group, demonstrates this threat actor's extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and their patience and covert skill set to stay undetected for months — and in some cases, years," the researchers said.

Related articles

1. Hacker Techniques Tools And Incident Handling
2. Pentest Tools For Android
3. Pentest Tools For Android
4. Hacker Security Tools
5. Pentest Automation Tools
6. Hack Tools Online
7. Ethical Hacker Tools
8. Hack Tools Download
9. Nsa Hacker Tools
10. Hack Website Online Tool
11. Hack Tools 2019
12. Hack Apps
13. How To Make Hacking Tools
14. Top Pentest Tools
15. Hacking Tools Download
16. Tools 4 Hack
17. Hacking App
18. Hack And Tools
19. Pentest Tools Port Scanner
20. Github Hacking Tools
21. Hacker Tools Apk
22. Nsa Hack Tools
23. Hacking Tools Software
24. Physical Pentest Tools
25. Beginner Hacker Tools
26. Hacker Tools 2020
27. Hacker Tools Linux
28. Underground Hacker Sites
29. Hack Tools For Ubuntu
30. Hack Tools For Windows
31. Hacking Tools For Pc
32. Hack Tools 2019
33. Wifi Hacker Tools For Windows
34. Hackrf Tools
35. Hacking Tools Name
36. Termux Hacking Tools 2019
37. Hack Tool Apk No Root
38. Pentest Tools Windows
39. What Is Hacking Tools
40. Pentest Tools List
41. Hacker Techniques Tools And Incident Handling
42. Hacking App
43. Hacking Tools Hardware
44. Nsa Hack Tools
45. Pentest Tools Nmap
46. Hacking Tools Download
47. Hacking Tools For Kali Linux
48. Hacking Tools Free Download
49. Ethical Hacker Tools
50. Hackrf Tools
51. Kik Hack Tools
52. Hacking Tools For Windows Free Download
53. Pentest Tools Apk
54. Pentest Tools For Android
55. Hack App
56. Free Pentest Tools For Windows
57. Usb Pentest Tools
58. Pentest Tools Alternative
59. Hack Tools Mac
60. Top Pentest Tools
61. Hack Tool Apk No Root
62. Hacking Tools Download
63. Pentest Tools For Android
64. Top Pentest Tools
65. Pentest Tools Linux
66. Pentest Tools Website
67. Hack Tools
68. What Is Hacking Tools
69. Hack Tools Download
70. Top Pentest Tools
71. Wifi Hacker Tools For Windows
72. Pentest Tools Windows
73. Hacking Tools Download
74. Pentest Tools Tcp Port Scanner
75. Hack Tools
76. Github Hacking Tools
77. Pentest Recon Tools
78. Usb Pentest Tools
79. Hack Tools Download
80. Hacker Tools List
81. Hacker Tools Free
82. Hacking Tools 2020
83. Hacker Security Tools
84. Kik Hack Tools
85. Hacking Tools For Pc
86. Pentest Tools Tcp Port Scanner
87. Hack Rom Tools
88. Black Hat Hacker Tools
89. Hacker Security Tools
90. Hack Website Online Tool
91. Hackrf Tools
92. Hacking Tools Name
93. Github Hacking Tools
94. Physical Pentest Tools
95. Tools Used For Hacking
96. Hacking Tools Download
97. Pentest Tools List
98. Best Hacking Tools 2019
99. Hacker Tools For Ios
100. Pentest Tools Windows
101. Hacking Apps
102. Pentest Tools Online
103. Hacking Tools Kit
104. Hacking Tools For Games
105. Bluetooth Hacking Tools Kali
106. Nsa Hacker Tools
107. Hacking Tools For Windows 7
108. Hack App
109. Hack Apps
110. Hacker Security Tools
111. Hack Tools For Games
112. Hack Tools
113. Hacking Tools Download
114. Pentest Tools For Mac
115. How To Install Pentest Tools In Ubuntu
116. Pentest Tools Alternative
117. Pentest Tools Bluekeep
118. Hack Tools
119. Hack Tools For Games
120. Hacking Tools Mac
121. Pentest Tools Download
122. Hack Tools Download
123. Hacking Tools Windows
124. Hacker Tools List