For Years, SolarWinds Attackers Were Able to Use New Malware Without Being Detected

For Years, SolarWinds Attackers Were Able to Use New Malware Without Being Detected.

Short News:- 

A new malware called TrailBlazer and a Linux version of GoldMax were installed on victim systems before the scope of the attacks was made public. Between December 2020 and January 2021, a second version of the GoldMax backdoor was used against a number of government organizations in an unnamed CIS member state. In mid-2019, victim environments discovered a previously undocumented, but functionally identical, Linux implementation of the second-stage malware.

Detailed News:- 

Since the SolarWinds supply chain compromise in early 2019, the threat actor behind it has continued to add to its malware arsenal with new tools and techniques, a sign of the campaigns' secrecy and the adversary's ability to maintain access for years.

A new implant called TrailBlazer and a Linux variant of GoldMax were installed on victim systems long before the scope of the attacks was made public, according to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week.

It is also known as UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual. Nobelium is Microsoft's assigned moniker for the SolarWinds intrusion in December 2020. (Secureworks).

Since at least 2008, the Russian Foreign Intelligence Service has been linked to a cyber espionage operation known as APT29 (also known as The Dukes and Cozy Bear), which has been blamed for the malicious activity.

For the first time since its discovery by Microsoft and FireEye in March 2021, a Golang-based malware known as GoldMax (also known as Sunshuttle) has been found to be an effective command-and-control backdoor.

Tomiris, a second version of the GoldMax backdoor, was deployed against several government organizations in an unnamed CIS member state between December 2020 and January 2021, according to Kaspersky in September 2021.

A previously undocumented, but functionally identical, Linux implementation of the second-stage malware was found in victim environments in mid-2019, predating all other known samples developed for the Windows platform to date.

Similarly, TrailBlazer, a modular backdoor that gives attackers a way into cyber espionage, was released around the same time as GoldMax and uses a similar ruse to disguise C2 traffic as legitimate HTTP requests for Google Notifications.

A number of other unusual methods were employed by the attacker to carry out the attacks, including

• Switching from one set of credentials to another in order to conceal lateral movement
• Hijacking, impersonation, and manipulation of Office 365 (O365) Service Principals and Applications and
• Multi-factor authentication (MFA) can be bypassed by stealing browser cookies.

Aside from stealing domain credentials, the operators used a variety of techniques, including the use of Mimikatz password stealer in-memory, from an already compromised host, to maintain access for long periods of time, months after the first theft.

Scientists say the "StellarParticle campaign, associated with the Cozy Bear adversary group, demonstrates this threat actor's extensive knowledge of Windows and Linux operating systems," as well as Microsoft's cloud services such as Azure, O365, and Active Directory.