Microsoft continues its analysis and work with partners and customers to gather more information about the threat actor behind Solarwinds supply chain act that compromised SolarWinds and impacted multiple other organizations.
More than 18000 customers, including US government agencies, were believed to be affected by this massive attack. As a result, Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP, which are:
This GoldMax malware was identified to be sticking on networks as a scheduled task impersonating systems management software.
The scheduled task was named after the software that existed in the environment. It pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant.
The malware writes an encrypted configuration file to disk, while the configuration data is encrypted using the AES-256 encryption algorithm, CFB encryption mode, and the following cipher key: “4naehrkz5alao2jd035zjh3j1v1dvyyc” (key varies in different versions of GoldMax).
The AES encrypted configuration data is Base64-encoded using the custom Base64 alphabet “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_” before it is stored in the configuration file on the file system.
When run, GoldMax decodes (Base64) and decrypts (AES-256) the configuration data to reveal a custom data structure comprised of the following dynamically generated and hardcoded values (delimited by ‘|’)
Sibot is a two-way purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine. It downloads and executes a payload from a remote C2 server.
The VBScript file is given a name that impersonates legitimate Windows tasks and is stored either in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.
There are three variants of Sibot:
GoldFinder is a custom HTTP tracer tool which logs the route or hops that a packet takes to reach a hardcoded C2 server.
When launched, the malware sends an HTTP request for a hardcoded IP address and logs the HTTP response to a plaintext log file.
GoldFinder uses the following hardcoded labels to store the request and response information in the log file:
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.
Also Read
SolarWinds Hack – Multiple Similarities Found Between Sunburst Backdoor and Turla’s Backdoor
DOJ Says SolarWinds Hackers Accessed 3% of it’s Office 365 Mailboxes
New Malware Discovered in SolarWinds Attack that Used 7-Zip Code to Hide
Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the…
Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and turning them into bots for the…
A critical vulnerability in Ray, an open-source AI framework that is widely utilized across various sectors, including education, cryptocurrency, and…
Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups…
Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft SharePoint Server, CVE-2023-24955. This vulnerability poses…
Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included in the Edge Bounty Program. The…