New Malware Used By SolarWinds Attackers Went Undetected For Years

 

The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years.

According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light.

Nobelium, the Microsoft-assigned moniker for the SolarWinds intrusion in December 2020, is also tracked by the wider cybersecurity community under the names UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).

The malicious activities have since been attributed to a Russian state-sponsored actor called APT29 (also known as The Dukes and Cozy Bear), a cyber espionage operation associated with the country's Foreign Intelligence Service that's known to be active since at least 2008.

GoldMax (aka SUNSHUTTLE), which was discovered by Microsoft and FireEye (now Mandiant) in March 2021, is a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with a remote server to execute arbitrary commands on the compromised machine.

Mandiant also pointed out that Dark Halo actors had used the malware in attacks going back to at least August 2020, or four months before SolarWinds discovered its Orion updates had been tampered with malware designed to drop post-compromise implants against thousands of its customers.

In September 2021, Kaspersky revealed details of a second variant of the GoldMax backdoor called Tomiris that was deployed against several government organizations in an unnamed CIS member state in December 2020 and January 2021.

The latest iteration is a previously undocumented but functionally identical Linux implementation of the second-stage malware that was installed in victim environments in mid-2019, predating all other identified samples built for the Windows platform to date.

Also delivered around the same timeframe was TrailBlazer, a modular backdoor that offers attackers a path to cyber espionage, while sharing commonalities with GoldMax in the way it masquerades its command-and-control (C2) traffic as legitimate Google Notifications HTTP requests.

Other uncommon channels used by the actor to facilitate the attacks include —

• Credential hopping for obscuring lateral movement
• Office 365 (O365) Service Principal and Application hijacking, impersonation, and manipulation, and
• Theft of browser cookies for bypassing multi-factor authentication

Additionally, the operators carried out multiple instances of domain credential theft months apart, each time leveraging a different technique, one among them being the use of Mimikatz password stealer in-memory, from an already compromised host to ensure access for extended periods of time.

"The StellarParticle campaign, associated with the Cozy Bear adversary group, demonstrates this threat actor's extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and their patience and covert skill set to stay undetected for months — and in some cases, years," the researchers said.

More info

1. Pentest Tools Open Source
2. Black Hat Hacker Tools
3. Hack Tools For Mac
4. Hackers Toolbox
5. Hacking Tools Usb
6. Hacker Tool Kit
7. Hacking Tools And Software
8. Pentest Tools Online
9. Hacking Tools Name
10. Pentest Tools Windows
11. Pentest Recon Tools
12. Hack And Tools
13. Hacker Tools For Ios
14. Hack Tools 2019
15. Hacking Tools
16. Install Pentest Tools Ubuntu
17. Hacker Tools For Mac
18. Pentest Tools Review
19. New Hack Tools
20. Hacker Tools
21. Easy Hack Tools
22. Pentest Tools Open Source
23. Pentest Tools For Windows
24. Usb Pentest Tools
25. Hacking Tools For Windows Free Download
26. Free Pentest Tools For Windows
27. Usb Pentest Tools
28. Hack Tool Apk No Root
29. Hacking Tools Pc
30. Pentest Tools Bluekeep
31. Pentest Tools Apk
32. Hacker Tools Software
33. Best Hacking Tools 2019
34. Tools Used For Hacking
35. Pentest Tools Framework
36. How To Hack
37. Termux Hacking Tools 2019
38. Hacker
39. Pentest Tools Apk
40. Hacker Tools 2020
41. Hacker Tools
42. Pentest Tools Website
43. New Hacker Tools
44. Wifi Hacker Tools For Windows
45. New Hack Tools
46. Hacker Tools Apk
47. Pentest Tools Kali Linux
48. Easy Hack Tools
49. Ethical Hacker Tools
50. Hacker Tools For Windows
51. Pentest Recon Tools
52. Hack Tools
53. Hacking Tools Free Download
54. Pentest Tools Website
55. Pentest Tools For Mac
56. Hack Tools For Pc
57. Pentest Tools Nmap
58. Wifi Hacker Tools For Windows
59. Pentest Tools Github
60. Pentest Tools Framework
61. Hack And Tools
62. Hacker Tools
63. New Hacker Tools
64. Hack Website Online Tool
65. Pentest Tools Linux
66. Pentest Tools Kali Linux
67. Hacking Tools Download
68. Hack Tools 2019
69. Pentest Tools Review
70. Pentest Tools Linux
71. Hacking Tools Windows 10
72. Hacking Tools 2019
73. Best Pentesting Tools 2018
74. Termux Hacking Tools 2019
75. Hacking Tools Software
76. Hacker Tools Github
77. Pentest Tools Nmap
78. How To Install Pentest Tools In Ubuntu
79. Free Pentest Tools For Windows
80. Hacking Tools Windows
81. Hack Tools For Pc
82. Pentest Tools Online
83. Hacking Tools And Software
84. Hack Tools For Ubuntu
85. Hacker Tools For Windows
86. Black Hat Hacker Tools
87. Hack Website Online Tool
88. Black Hat Hacker Tools
89. Hacker Tools Apk
90. Pentest Reporting Tools
91. Hack Rom Tools
92. Hack Rom Tools
93. Hacker Tools Apk
94. New Hacker Tools
95. Hack App
96. Android Hack Tools Github
97. Hacker Tools 2019
98. Hacker Tools Apk
99. Termux Hacking Tools 2019
100. Easy Hack Tools
101. Hacker Tools Free
102. Pentest Box Tools Download
103. Pentest Tools Review
104. Game Hacking
105. Black Hat Hacker Tools
106. Android Hack Tools Github
107. Hacking Tools For Windows Free Download
108. Hacker Tool Kit
109. Game Hacking
110. Usb Pentest Tools
111. Hacker Search Tools
112. Hacking Tools Name
113. Hacker Tools Windows
114. Hack And Tools
115. Hacking Tools Pc
116. Pentest Tools Find Subdomains
117. Pentest Tools Subdomain
118. Underground Hacker Sites
119. Ethical Hacker Tools
120. Wifi Hacker Tools For Windows
121. How To Make Hacking Tools
122. Hackrf Tools
123. Beginner Hacker Tools
124. Pentest Tools Alternative
125. Tools For Hacker
126. Pentest Tools Website Vulnerability
127. Hack Tools 2019
128. Hacking Tools Github
129. Hacker Tools Mac
130. What Are Hacking Tools
131. How To Make Hacking Tools
132. Github Hacking Tools
133. Best Hacking Tools 2020
134. Black Hat Hacker Tools
135. Hacker Tools Free
136. Black Hat Hacker Tools
137. Pentest Tools For Mac
138. Hacking Tools Github
139. Hacking Tools Usb
140. Pentest Reporting Tools
141. Hacker Tools Free
142. Hack Rom Tools
143. Beginner Hacker Tools
144. Bluetooth Hacking Tools Kali
145. Pentest Tools Apk
146. Github Hacking Tools
147. Growth Hacker Tools
148. Easy Hack Tools
149. Hackers Toolbox
150. Pentest Tools Kali Linux
151. Pentest Reporting Tools
152. Kik Hack Tools
153. New Hacker Tools
154. Pentest Reporting Tools
155. Hacker Tools Software
156. Hacker Tools Free Download
157. Pentest Automation Tools
158. Hack Tool Apk
159. Hacking Tools
160. Pentest Tools List
161. Growth Hacker Tools
162. Pentest Tools Find Subdomains
163. Pentest Tools Free
164. Hacking Tools Name
165. Hacking Tools For Beginners
166. Hackrf Tools
167. Hacker
168. Pentest Tools Open Source
169. Hacking Tools Name
170. Hack Rom Tools
171. Hacking Tools For Beginners
172. Pentest Tools Github
173. Hack Apps
174. Hack Tools