A recent analysis conducted by Microsoft Threat Intelligence Center and Microsoft 365 Defender Research Team reveals three more malicious samples applied by notorious Nobelium APT during the devastating SolarWinds supply-chain attack. According to the report, the newly discovered second-stage malware was used by adversaries to evade detection, gain persistence, and load additional payloads to the compromised network.
GoldMax, GoldFinder, and Sibot Backdoors
According to the security experts, GoldMax (Sunshuttle) is a sophisticated and nefarious later-stage command-and-control (C&C) backdoor used for cyber-espionage purposes. It applies complex evasion techniques to mix up C&C traffic and disguise it as that coming from legitimate websites such as Google, Yahoo, or Facebook. The APT-controlled server used by malware was registered anonymously via NameSilo. This domain provider is frequently used by Russian and Iranian nation-backed APT actors.
The second recently identified threat, GoldFinder, acts as a custom HTTP tracer tool. It can locate proxy servers and network security tools involved in C&C communications between the compromised host and the server.
The last malware sample, called Sibot, is a VBScript threat that serves for achieving persistence and loading additional malware from a remote attackers’ server. To stay under the radar, a malicious VBScript file impersonates legitimate Windows tasks and runs as a scheduled task.
Microsoft and FireEye point out that the above-mentioned custom malware strains were used between June-September 2020 in the targeted attacks against multiple vendors. The malicious software was leveraged on the latest stages of intrusion, just after gaining initial access via dumped credentials and lateral movement with TearDrop malware. Notably, malicious strains were customized to fit specific networks, being tailored to unique post-compromise tasks. According to Microsoft, the new malware possesses enhanced capabilities and uses unusual attack patterns, which demonstrates the growing sophistication of the Nobelium hackers.
After an in-depth investigation into the SolarWinds supply-chain attack, Microsoft started to talk about a new threat actor dubbed Nobelium APT. The new hacker collective is believed to be a nation-state actor highly skilled in evading detection and obfuscating the code of its malicious tools. Although the origin of attackers is currently unknown, Microsoft security analysts believe the group is Russia-affiliated.
Despite being a novel player in the cybersecurity arena, Nobelium has already gained a solid reputation as a sophisticated actor able of producing custom malware and launching unprecedented cyber-espionage operations. The global community turned their attention to the new threat after hackers successfully compromised over 18,000 organizations via Trojanized SolarWinds Orion updates. The list of victims includes 452+ vendors from Fortune 500 list, nine US federal agencies, and world-leading security companies. Particularly, the activity of the group was analyzed by different security vendors, including FireEye tracking it as UNC2452, Violexity tracking the collective as DarkHalo, and Microsoft calling it Nobelium APT.
Since its emergence at the end of 2019, Nobelium hackers produced and utilized multiple custom malicious strains during their intrusions. Security experts have previously identified four different samples, including Sunburst, Sunspot, Raindrop, and Teardrop. And recently discovered strains promote this count to seven, with GoldMax, GoldFinder, and Sibot on the list.
Detecting Nobelium APT Attacks
To detect possible Nobelium APT malicious activity and proactively defend against GoldMax, GoldFinder, and Sibot malware, our keen Threat Bounty developers released community Sigma rules already available in Threat Detection Marketplace.
The rules have translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix
Tactics: Execution, Defense Evasion
Techniques: Signed Binary Proxy Execution (T1218)
To find more detection content covering Nobelium APT attacks, we recommend you to check our previous blog articles devoted to the FireEye breach, Sunburst and Raindrop analysis, Golden SAML attack, and Dark Halo overview.
Get a free subscription to Threat Detection Marketplace, a world-leading Detection as Code platform for SOC content that provides access and support to 100,000+ detection and response algorithms for 23+ market-leading SIEM, EDR, and NTDR technologies. Want to craft your own detections and share them with the global community of cyber defenders? Join our Threat Bounty Program!