GoldMax, GoldFinder, and Sibot, are the 3 new Malwares Used by SolarWinds Hackers

Microsoft continues its analysis and work with partners and customers to gather more information about the threat actor behind Solarwinds supply chain act that compromised SolarWinds and impacted multiple other organizations.

More than 18000 customers, including US government agencies, were believed to be affected by this massive attack. As a result, Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP, which are:

  1. GoldMax
  2. Sibot
  3. GoldFinder

GoldMax

This GoldMax malware was identified to be sticking on networks as a scheduled task impersonating systems management software.

The scheduled task was named after the software that existed in the environment. It pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant.

The malware writes an encrypted configuration file to disk, while the configuration data is encrypted using the AES-256 encryption algorithm, CFB encryption mode, and the following cipher key: “4naehrkz5alao2jd035zjh3j1v1dvyyc” (key varies in different versions of GoldMax).

The AES encrypted configuration data is Base64-encoded using the custom Base64 alphabet “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_” before it is stored in the configuration file on the file system.

When run, GoldMax decodes (Base64) and decrypts (AES-256) the configuration data to reveal a custom data structure comprised of the following dynamically generated and hardcoded values (delimited by ‘|’)

Sibot

Sibot is a two-way purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine. It downloads and executes a payload from a remote C2 server.

The VBScript file is given a name that impersonates legitimate Windows tasks and is stored either in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.

There are three variants of Sibot:

  • Variant A only installs the second-stage script in the default registry value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.
  • Variant B registers a scheduled task named Sibot and programmed to run daily. This task, C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\sibot, runs the following command-line daily:
  • Variant C is a standalone version of the second-stage script. The second-stage script from Variant A is designed to be executed from the registry, this variant is designed to run from a file.

GoldFinder

GoldFinder is a custom HTTP tracer tool which logs the route or hops that a packet takes to reach a hardcoded C2 server.

When launched, the malware sends an HTTP request for a hardcoded IP address and logs the HTTP response to a plaintext log file.

GoldFinder uses the following hardcoded labels to store the request and response information in the log file:

  • Target: The C2 URL
  • StatusCode: HTTP response/status code
  • Headers: HTTP response headers and their values
  • Data: Data from the HTTP response received from the C2

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

SolarWinds Hack – Multiple Similarities Found Between Sunburst Backdoor and Turla’s Backdoor

DOJ Says SolarWinds Hackers Accessed 3% of it’s Office 365 Mailboxes

New Malware Discovered in SolarWinds Attack that Used 7-Zip Code to Hide

Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the…

1 hour ago

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and turning them into bots for the…

1 hour ago

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across various sectors, including education, cryptocurrency, and…

20 hours ago

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups…

21 hours ago

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft SharePoint Server, CVE-2023-24955. This vulnerability poses…

22 hours ago

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included in the Edge Bounty Program. The…

22 hours ago