Microsoft and FireEye Reveal New Malware Samples Tied to SolarWinds Attackers

A recent analysis conducted by Microsoft Threat Intelligence Center and Microsoft 365 Defender Research Team reveals three more malicious samples applied by notorious Nobelium APT during the devastating SolarWinds supply-chain attack. According to the report, the newly discovered second-stage malware was used by adversaries to evade detection, gain persistence, and load additional payloads to the compromised network. 

GoldMax, GoldFinder, and Sibot Backdoors

Microsoft research details three new strains dubbed GoldMax, GoldFinder, and Sibot. Simultaneous inquiry by FireEye also points to the new malicious sample called Sunshuttle

According to the security experts, GoldMax (Sunshuttle) is a sophisticated and nefarious later-stage command-and-control (C&C) backdoor used for cyber-espionage purposes. It applies complex evasion techniques to mix up C&C traffic and disguise it as that coming from legitimate websites such as Google, Yahoo, or Facebook. The APT-controlled server used by malware was registered anonymously via NameSilo. This domain provider is frequently used by Russian and Iranian nation-backed APT actors.

The second recently identified threat, GoldFinder, acts as a custom HTTP tracer tool. It can locate proxy servers and network security tools involved in C&C communications between the compromised host and the server. 

The last malware sample, called Sibot, is a VBScript threat that serves for achieving persistence and loading additional malware from a remote attackers’ server. To stay under the radar, a malicious VBScript file impersonates legitimate Windows tasks and runs as a scheduled task.

Microsoft and FireEye point out that the above-mentioned custom malware strains were used between June-September 2020 in the targeted attacks against multiple vendors. The malicious software was leveraged on the latest stages of intrusion, just after gaining initial access via dumped credentials and lateral movement with TearDrop malware. Notably, malicious strains were customized to fit specific networks, being tailored to unique post-compromise tasks. According to Microsoft, the new malware possesses enhanced capabilities and uses unusual attack patterns, which demonstrates the growing sophistication of the Nobelium hackers.

Nobelium APT

After an in-depth investigation into the SolarWinds supply-chain attack, Microsoft started to talk about a new threat actor dubbed Nobelium APT. The new hacker collective is believed to be a nation-state actor highly skilled in evading detection and obfuscating the code of its malicious tools. Although the origin of attackers is currently unknown, Microsoft security analysts believe the group is Russia-affiliated. 

Despite being a novel player in the cybersecurity arena, Nobelium has already gained a solid reputation as a sophisticated actor able of producing custom malware and launching unprecedented cyber-espionage operations. The global community turned their attention to the new threat after hackers successfully compromised over 18,000 organizations via Trojanized SolarWinds Orion updates. The list of victims includes 452+ vendors from Fortune 500 list, nine US federal agencies, and world-leading security companies. Particularly, the activity of the group was analyzed by different security vendors, including FireEye tracking it as UNC2452, Violexity tracking the collective as DarkHalo, and Microsoft calling it Nobelium APT. 

Since its emergence at the end of 2019, Nobelium hackers produced and utilized multiple custom malicious strains during their intrusions. Security experts have previously identified four different samples, including Sunburst, Sunspot, Raindrop, and Teardrop. And recently discovered strains promote this count to seven, with GoldMax, GoldFinder, and Sibot on the list.

Detecting Nobelium APT Attacks

To detect possible Nobelium APT malicious activity and proactively defend against GoldMax, GoldFinder, and Sibot malware, our keen Threat Bounty developers released community Sigma rules already available in Threat Detection Marketplace.

NOBELIUM (GoldMax, GoldFinder, and Sibot) used by the SolarWinds attackers (Found by Microsoft)

Rundll32.exe .sys Image Loads By Reference

The rules have translations to the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix


Tactics: Execution, Defense Evasion

Techniques: Signed Binary Proxy Execution (T1218)

To find more detection content covering Nobelium APT attacks, we recommend you to check our previous blog articles devoted to the FireEye breach, Sunburst and Raindrop analysis, Golden SAML attack, and Dark Halo overview.

Get a free subscription to Threat Detection Marketplace, a world-leading Detection as Code platform for SOC content that provides access and support to 100,000+ detection and response algorithms for 23+ market-leading SIEM, EDR, and NTDR technologies. Want to craft your own detections and share them with the global community of cyber defenders? Join our Threat Bounty Program!

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts