Microsoft and FireEye report three new malware strains associated with the one used in attacks on SolarWinds’ Orion software and to infect federal agencies and major companies.
The new malware is linked to the suspected Russian perpetrators behind previous attacks.
Sunshuttle, a strain detected by FireEye, was described in a blog post on Thursday. While Microsoft Threat Intelligence Center (MSTIC) detailed its findings – two new strains GoldFinder and Sibot, in its own blog post also on Thursday and labeled the FireEye’s Sunshuttle strain as GoldMax. Microsoft named the actor behind the attacks against SolarWinds and the operator of the SUNBURST backdoor and TEARDROP malware as NOBELIUM.
Microsoft said the features of the new malware strains serve as new evidence that the hackers behind that breach are notably sophisticated. Analysis revealed these strains may have been on compromised systems since as early as June 2020.
“They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions,” Microsoft wrote.
Microsoft says the newly surfaced strains of malware were used by the adversary to maintain persistence and perform actions on very specific and targeted networks after they had been compromised. The malware can even evade initial detection during incident response, Microsoft notes in the blog post.
The malware strains Microsoft observed exhibited a high degree of stealthiness.
Likewise, Sunshuttle is a sophisticated second-stage backdoor written in GoLang that demonstrates some elegant detection evasion techniques, FireEye wrote.
While FireEye couldn’t conclusively verify the connection between Sunshuttle and the SolarWinds hackers, it observed it in the network of one of the victims. But said they had indications that it is linked to the UNC2452 campaign, but they weren’t able to confirm this connection.
In addition, the time frames when attacks using the three strains of malware took place overlap. Microsoft saw the strains active from August to September in customer networks and FireEye said someone uploaded Sunshuttle to a public malware repository in August.