Microsoft released details Thursday on later-stage malware the company says was used by the group behind the SolarWinds espionage campaign that breached several government agencies and private firms including Microsoft and FireEye.
A coordinated blog from FireEye provided a separate deep dive on one of the malware strains in the Microsoft post, but the firm was less confident about attributing it to the SolarWinds campaign. According to its blog, FireEye obtained a sample from a malware repository.
Microsoft, who is now tracking this hacker group as Nobelium, said it discovered three new samples of malware apparently active in some compromised customer networks between August and September of last year.
“These capabilities differ from previously known Nobelium tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams,” wrote Microsoft.
Lawmakers and vendors alike believe Nobelium to be a facet of Russian intelligence.
The two Nobelium strains outlined by Microsoft but not by FireEye are Sibot and GoldFinder. Sibot is a dual-use VBScript program that comes in three variants. All three download a malicious DLL from a compromised website. It runs the DLL using Win32_Process WMI, making it harder to trace back to Sibot, which then can maintain persistence.
GoldFinder traces the hops an HTTP request takes back to the command and control server. It was written in Go.
The malware discovered by Microsoft and FireEye is called GoldMax or SUNSHUTTLE by the respective firms. It is a second-stage backdoor that connects with a hard-coded command and control server. It communicates with that server through cookie headers and can be configured to disguise its web traffic as being referred by popular websites. Those sites include Google, Bing and Facebook.
FireEye notes that the hard-coded server is registered using the domain provider NameSilo, which accepts bitcoin and has been used by Russian and Iranian espionage groups in the past. While FireEye found the malware installed on a victim network also infiltrated by Nobelium, the vendor is not ready to attribute the malware to that group just yet.
Microsoft and FireEye both provide indicators of compromise on their sites.
“With this actor’s established pattern of using unique infrastructure and tooling for each target, and the operational value of maintaining their persistence on compromised networks, it is likely that additional components will be discovered as our investigation into the actions of this threat actor continues,” wrote Microsoft.