Microsoft and FireEye have identified a new piece of malware used by the SolarWinds hackers that evaded initial detection during incident response and which appears to have been in victim systems since June 2020.
Dubbing it GoldMax/SUNSHUTTLE* FireEye described it as a "sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its 'blend-in' traffic capabilities."
The malware was discovered persisting on victim networks as a scheduled task impersonating systems management software; it acts as a command-and-control (C2) backdoor for the attackers. The malware reads an "embedded or local configuration file, communicates with its C2 server over HTTPS and supports commands including remotely updating its configuration, file upload and download, and arbitrary command execution".
It uses cookie headers to pass values to the C2, and if so configured, can select referrers from a list of popular website URLs (like facebook.com; google.com) to help such network traffic look benign and blend in.
Multiple 0days in Microsoft Exchange Server exploited in wild.
Microsoft said it "assesses that the newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise."
It was "assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions."
GoldMax/SUNSHUTTLE uses several different techniques to obfuscate its actions and evade detection.
The malware (written in GO) writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running, the two said in separate posts today. For those with Azure Sentinel or access to the 365 security center, Microsoft has advanced hunting queries here, including examples of how the attackers used decoy traffic to blend in with normal network traffic as it made C2 queries. FireEye's detailed write-up is here. Your other security providers will no doubt be rapidly following suit with threat detection capabilities.
