New Malware Used By SolarWinds Attackers Went Undetected For Years

 

The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years.

According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light.

Nobelium, the Microsoft-assigned moniker for the SolarWinds intrusion in December 2020, is also tracked by the wider cybersecurity community under the names UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).

The malicious activities have since been attributed to a Russian state-sponsored actor called APT29 (also known as The Dukes and Cozy Bear), a cyber espionage operation associated with the country's Foreign Intelligence Service that's known to be active since at least 2008.

GoldMax (aka SUNSHUTTLE), which was discovered by Microsoft and FireEye (now Mandiant) in March 2021, is a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with a remote server to execute arbitrary commands on the compromised machine.

Mandiant also pointed out that Dark Halo actors had used the malware in attacks going back to at least August 2020, or four months before SolarWinds discovered its Orion updates had been tampered with malware designed to drop post-compromise implants against thousands of its customers.

In September 2021, Kaspersky revealed details of a second variant of the GoldMax backdoor called Tomiris that was deployed against several government organizations in an unnamed CIS member state in December 2020 and January 2021.

The latest iteration is a previously undocumented but functionally identical Linux implementation of the second-stage malware that was installed in victim environments in mid-2019, predating all other identified samples built for the Windows platform to date.

Also delivered around the same timeframe was TrailBlazer, a modular backdoor that offers attackers a path to cyber espionage, while sharing commonalities with GoldMax in the way it masquerades its command-and-control (C2) traffic as legitimate Google Notifications HTTP requests.

Other uncommon channels used by the actor to facilitate the attacks include —

• Credential hopping for obscuring lateral movement
• Office 365 (O365) Service Principal and Application hijacking, impersonation, and manipulation, and
• Theft of browser cookies for bypassing multi-factor authentication

Additionally, the operators carried out multiple instances of domain credential theft months apart, each time leveraging a different technique, one among them being the use of Mimikatz password stealer in-memory, from an already compromised host to ensure access for extended periods of time.

"The StellarParticle campaign, associated with the Cozy Bear adversary group, demonstrates this threat actor's extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and their patience and covert skill set to stay undetected for months — and in some cases, years," the researchers said.

Related news

1. Physical Pentest Tools
2. Hacking Tools For Windows
3. Pentest Automation Tools
4. Tools 4 Hack
5. Hack App
6. Hacker Tools For Ios
7. Pentest Tools Linux
8. Hacking Tools Mac
9. Hacker Security Tools
10. Computer Hacker
11. Hacker Techniques Tools And Incident Handling
12. Hacker Tools Software
13. What Is Hacking Tools
14. Hacker Tools Github
15. Hacking Tools Software
16. Hack Website Online Tool
17. Best Hacking Tools 2019
18. Hacker Tools Software
19. Github Hacking Tools
20. Hacker Tool Kit
21. How To Hack
22. Hackrf Tools
23. Pentest Tools Android
24. How To Hack
25. Hack Tools Github
26. Computer Hacker
27. Pentest Automation Tools
28. Hack Tools For Ubuntu
29. Hacker Tools For Windows
30. Nsa Hack Tools
31. Pentest Tools Alternative
32. Best Pentesting Tools 2018
33. Hacking Tools Windows 10
34. Hack Tools
35. Pentest Tools Subdomain
36. Pentest Tools Url Fuzzer
37. Pentest Tools Android
38. Easy Hack Tools
39. Hacking Tools Pc
40. Hacker Tool Kit
41. Hacking Tools For Beginners
42. Hacker Tools Hardware
43. Hacker Search Tools
44. Best Hacking Tools 2020
45. Hacker Tools Hardware
46. Nsa Hacker Tools
47. Hacking Tools Pc
48. Usb Pentest Tools
49. Pentest Tools Apk
50. Hacker Tools Github
51. Computer Hacker
52. Hacker
53. Android Hack Tools Github
54. Hacking Tools Windows
55. Hacker Tools Free
56. New Hacker Tools
57. Hacker Tools For Mac
58. Pentest Tools Github
59. Pentest Tools Alternative
60. Hacker Tools For Pc
61. Hacking Tools Windows 10
62. Wifi Hacker Tools For Windows
63. Hack Tools 2019
64. Hacker Tools Free Download
65. Hack Tools
66. Pentest Box Tools Download
67. Hack Website Online Tool
68. Pentest Box Tools Download
69. Hack Tools For Mac
70. Hacking Tools For Kali Linux
71. Pentest Tools Android
72. Hacking Tools For Kali Linux
73. Pentest Tools Nmap
74. Hacking Tools Windows 10
75. Hack Tools For Windows
76. Pentest Tools Free
77. Hacking Tools For Pc
78. Hack And Tools
79. Blackhat Hacker Tools
80. Physical Pentest Tools
81. Hacker Tools For Pc
82. New Hacker Tools
83. Hacker Tools 2020
84. Hacking Tools Name
85. Ethical Hacker Tools
86. Hacking Tools 2019
87. Pentest Tools Website
88. Hack Tools
89. Nsa Hacker Tools
90. Hack Website Online Tool
91. Hack Tools Online
92. Pentest Tools Open Source
93. Hack Apps
94. Pentest Reporting Tools
95. Pentest Reporting Tools
96. Hack Tools Online
97. What Is Hacking Tools
98. Pentest Tools Website
99. Hacker Tools Free
100. Hacking Tools Windows 10
101. Hack Tools Online
102. Hack App
103. How To Install Pentest Tools In Ubuntu
104. Hacker Security Tools
105. Pentest Tools Alternative
106. Pentest Tools Alternative
107. Hack Tools For Games
108. Pentest Tools Online
109. Wifi Hacker Tools For Windows
110. Pentest Tools For Windows
111. Hacking Tools For Beginners
112. Pentest Tools Review
113. Hacker Tools
114. Hacker Tools For Ios
115. Hack Apps
116. Physical Pentest Tools
117. Easy Hack Tools
118. Hacking Tools Github
119. Pentest Tools Find Subdomains
120. Hacking Tools And Software
121. Hack Tools Pc
122. Hack Tools Github
123. Pentest Tools Bluekeep
124. Hacker Tools Hardware
125. Hacking Tools Mac
126. Hacker Tools For Ios
127. Pentest Tools Review
128. Hack Tools Download
129. Hack And Tools
130. Hacking Tools For Windows
131. Hack Tools For Pc
132. Hacker Techniques Tools And Incident Handling
133. Hacking Tools For Kali Linux
134. Hacking Tools For Beginners
135. Nsa Hack Tools
136. Blackhat Hacker Tools
137. Pentest Recon Tools
138. Pentest Box Tools Download
139. Growth Hacker Tools
140. Hack Apps
141. Hacking Tools Online
142. Pentest Tools Find Subdomains
143. Hacking Tools 2019
144. Termux Hacking Tools 2019
145. Tools For Hacker
146. Hackers Toolbox
147. New Hacker Tools
148. Hacker Tools 2019
149. Hack Tools For Ubuntu
150. Hacker Tools For Pc
151. Hack Tools
152. Hacking Apps
153. Black Hat Hacker Tools
154. Nsa Hack Tools
155. Pentest Tools Website Vulnerability
156. Hacker Tools Online
157. Hacker Tool Kit
158. Hacker Security Tools
159. Hacking Tools Mac
160. Hacker Security Tools
161. Hacking Tools Hardware
162. Hack Tools For Windows
163. How To Install Pentest Tools In Ubuntu
164. Pentest Tools Review
165. Hackers Toolbox
166. Pentest Automation Tools
167. Pentest Tools Github
168. Pentest Tools Nmap
169. Tools 4 Hack
170. Hacker Tools For Ios
171. Hacking Tools
172. Hacker Tools Free Download
173. Install Pentest Tools Ubuntu
174. Best Hacking Tools 2019
175. Android Hack Tools Github
176. Nsa Hack Tools
177. Hack Tools Mac
178. Hacking Tools Name