SolarWinds Update: Three New Malware Families Discovered

Summary

Researchers from both Microsoft and FireEye have identified three new malware families associated with the SolarWinds supply chain attack. These malware variants are suspected to have been secondary payloads on compromised systems. These new variants appear to be associated with the threat actors originally identified as UNC2452 (FireEye) and Solarigate, now identified as NOBELIUM (Microsoft). SUNSHUTTLE (FireEye), identified as GoldMax by Microsoft, is a second-stage backdoor that works in tandem with other Sunburst-related tools. Researchers noted that this malware uses cookie headers to pass values to its command and control (C2) server in order to bypass detection by blending in with legitimate traffic. Sibot is used to achieve persistence, and then further download and execute a payload received from a remote C2 server. GoldFinger is assessed to be a custom-built HTTP tracer tool used to identify the number of hops or redirects a packet takes to reach the C2 server – likely in order to detect discovery by the victim’s security devices. Further analysis revealed these malware families may have been on compromised systems as early as June 2020.

Recommendations

The NJCCIC recommends administrators review the Microsoft Security blog post and the FireEye Threat Research blog post for technical details, and conduct analysis of logs for associated indicators of compromise. Additionally, we encourage affected organizations to review CISAs Guidance on Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise. Further reporting can be found in the ThreatPost article.