image
Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack. Researchers with Microsoft and FireEye identified three new pieces of malware that the companies said are being used in late-stage activity by the threat actor (previously called Solarigate by Microsoft and now renamed Nobelium; and called UNC2542 by FireEye). The malware families include: A backdoor that’s called GoldMax by Microsoft and called Sunshuttle by FireEye; a dual-purpose malware called Sibot discovered by Microsoft; and a malware called GoldFinder also found by Microsoft. Adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a sprawling cyberespionage campaign that has hit the U.S. government, tech companies and others hard. Microsoft said that it discovered these latest custom attacker tools lurking in some networks of customer compromised by the SolarWinds attackers. It observed them to be in use from August to September – however, researchers said further analysis revealed these may have been on compromised systems as early as last June. “These tools are new pieces of malware that are unique to this actor,” said Ramin…

Source