New Malware Used By SolarWinds Attackers Went Undetected For Years

 

The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years.

According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light.

Nobelium, the Microsoft-assigned moniker for the SolarWinds intrusion in December 2020, is also tracked by the wider cybersecurity community under the names UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).

The malicious activities have since been attributed to a Russian state-sponsored actor called APT29 (also known as The Dukes and Cozy Bear), a cyber espionage operation associated with the country's Foreign Intelligence Service that's known to be active since at least 2008.

GoldMax (aka SUNSHUTTLE), which was discovered by Microsoft and FireEye (now Mandiant) in March 2021, is a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with a remote server to execute arbitrary commands on the compromised machine.

Mandiant also pointed out that Dark Halo actors had used the malware in attacks going back to at least August 2020, or four months before SolarWinds discovered its Orion updates had been tampered with malware designed to drop post-compromise implants against thousands of its customers.

In September 2021, Kaspersky revealed details of a second variant of the GoldMax backdoor called Tomiris that was deployed against several government organizations in an unnamed CIS member state in December 2020 and January 2021.

The latest iteration is a previously undocumented but functionally identical Linux implementation of the second-stage malware that was installed in victim environments in mid-2019, predating all other identified samples built for the Windows platform to date.

Also delivered around the same timeframe was TrailBlazer, a modular backdoor that offers attackers a path to cyber espionage, while sharing commonalities with GoldMax in the way it masquerades its command-and-control (C2) traffic as legitimate Google Notifications HTTP requests.

Other uncommon channels used by the actor to facilitate the attacks include —

• Credential hopping for obscuring lateral movement
• Office 365 (O365) Service Principal and Application hijacking, impersonation, and manipulation, and
• Theft of browser cookies for bypassing multi-factor authentication

Additionally, the operators carried out multiple instances of domain credential theft months apart, each time leveraging a different technique, one among them being the use of Mimikatz password stealer in-memory, from an already compromised host to ensure access for extended periods of time.

"The StellarParticle campaign, associated with the Cozy Bear adversary group, demonstrates this threat actor's extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and their patience and covert skill set to stay undetected for months — and in some cases, years," the researchers said.

More info

1. Hacking Tools For Mac
2. Pentest Tools Find Subdomains
3. Hacker Tools Linux
4. Pentest Tools Nmap
5. Best Hacking Tools 2020
6. Pentest Tools Alternative
7. Ethical Hacker Tools
8. Hacker Tools For Windows
9. Best Pentesting Tools 2018
10. Pentest Tools
11. Hacker Techniques Tools And Incident Handling
12. Hacker Tools For Ios
13. Pentest Tools Find Subdomains
14. Kik Hack Tools
15. What Is Hacking Tools
16. Hacking Tools For Games
17. Hacking Tools Software
18. Hacking Tools Kit
19. Hack Tools For Games
20. Pentest Tools Kali Linux
21. Nsa Hack Tools Download
22. Hacking Tools Hardware
23. Hacker Tools For Mac
24. Hacker Hardware Tools
25. Hack Tools For Windows
26. Pentest Tools Alternative
27. Hacker Hardware Tools
28. Hacker
29. Pentest Tools Port Scanner
30. Hacking Tools Hardware
31. Pentest Tools Tcp Port Scanner
32. Beginner Hacker Tools
33. Hacking Tools Windows 10
34. Hacking Apps
35. Hacker Tools Apk Download
36. Nsa Hack Tools
37. Hack Tools For Pc
38. Hacker Tools Linux
39. Hack Rom Tools
40. Hacking Tools Pc
41. Pentest Tools Website
42. Hacking Tools For Beginners
43. Beginner Hacker Tools
44. Hacking Tools Free Download
45. Hackers Toolbox
46. Pentest Tools For Android
47. Hacker Tools For Mac
48. Hack Tools For Mac
49. Pentest Tools Tcp Port Scanner
50. Pentest Tools For Windows
51. Hacking Tools Free Download
52. Hacker Tools Free Download
53. Computer Hacker
54. Hack Tool Apk No Root
55. What Is Hacking Tools
56. Tools For Hacker
57. Blackhat Hacker Tools
58. Android Hack Tools Github
59. Hackrf Tools
60. Hack Tools For Windows
61. Hacking Tools For Windows 7
62. Hack Tools For Windows
63. Hacker Tools Apk Download
64. Hack App
65. Nsa Hacker Tools
66. Pentest Tools Website
67. Hak5 Tools
68. Hacker Tools
69. Pentest Automation Tools
70. Hacker Tools Software
71. Hacker Tools
72. Hacking Tools 2019
73. Hack App
74. Hacker Tools Free
75. Pentest Tools
76. Hacking Tools For Beginners
77. Pentest Tools For Windows
78. World No 1 Hacker Software
79. Hacker Tools Software
80. Install Pentest Tools Ubuntu
81. Pentest Tools Free
82. Pentest Tools List
83. Hacking Tools For Windows 7
84. Pentest Tools Nmap
85. Pentest Tools For Windows
86. Black Hat Hacker Tools
87. Hacking Tools 2020
88. Hacking Tools For Games
89. Hacking Tools Download
90. Easy Hack Tools
91. Pentest Tools Tcp Port Scanner
92. Hacking Tools Windows 10
93. Hack Tools For Mac
94. Hacking Tools For Kali Linux
95. Hacker Tools For Mac
96. Bluetooth Hacking Tools Kali
97. Hack Website Online Tool
98. Nsa Hacker Tools
99. Pentest Automation Tools
100. Pentest Tools Website
101. Hack App
102. Hacker Tools Apk Download
103. Hack Website Online Tool
104. Nsa Hack Tools Download
105. Blackhat Hacker Tools
106. Hacking Tools Download
107. Hacking Tools Kit
108. Hack Rom Tools
109. Hacking Tools
110. Hak5 Tools
111. Pentest Tools
112. Nsa Hacker Tools
113. Hacking Tools Software
114. Hacker
115. Hack Tools
116. Hacking Tools Windows
117. Hak5 Tools
118. Hak5 Tools
119. Pentest Tools Nmap
120. Physical Pentest Tools
121. Pentest Box Tools Download
122. Ethical Hacker Tools
123. Pentest Tools Port Scanner
124. Github Hacking Tools
125. Hacking Tools Free Download
126. Best Pentesting Tools 2018
127. Wifi Hacker Tools For Windows
128. Hacker Tools Software
129. Easy Hack Tools
130. Pentest Box Tools Download
131. Pentest Tools Windows
132. Hacking Tools Github
133. Hacking App
134. Nsa Hack Tools
135. Pentest Tools Website Vulnerability
136. Hacking Tools Download
137. Hack Rom Tools
138. Hack Tool Apk No Root
139. Hacking Tools Github
140. Hack App
141. Pentest Tools Tcp Port Scanner
142. How To Make Hacking Tools
143. Hack Tool Apk
144. Hacking Tools Name