solarwinds hack

Sunshuttle/Sibot/GoldFinder malware Possible Connection to SolarWinds hackers

Introduction

Microsoft and FireEye discovered three new types of malware on Thursday that were used by threat groups behind the SolarWinds attack. The malware includes:

  • Backdoor, Microsoft calls it GoldMax, FireEye calls it Sunshuttle.
  • Malware named Sibot discovered by Microsoft.
  • Malware named GoldFinder by Microsoft .

GoldMax/ malware

is a complex written in the language. The backdoor has the function of fusing C2 communication traffic with legal network traffic, showing a simple and elegant detection and evasion technology.

After retrieves the session key from C2, it sends out a beacon to retrieve the command, and then parses the response content to determine which command should be run. Commands from C2 include remotely updating its configuration, uploading and downloading files, and executing arbitrary commands.

FireEye researchers said that the infection vector of the malware is unclear, and may have been distributed through a second-stage backdoor after the system was initially compromised. A US entity uploaded the backdoor to a public malware repository in August last year.

Data structure of the GoldMax configuration

sunshuttle/goldmax configuration

Sibot malware

Microsoft researchers have discovered a malware family called Sibot. Sibot is a dual-use malware implemented in VBScript designed to achieve persistence on the infected computer, and then download and execute the payload from a remote C2 server.

Researchers have observed three variants of this malware, all of which are somewhat confusing.

sibot

GoldFinder malware

Microsoft researchers have discovered a new tool called GoldFinder written in Golang. GoldFinder is likely to be used as a “custom HTTP tracer tool to record the route or node required for data packets to reach the hard-coded C2 server.”

After GoldFinder is launched, it can identify all HTTP proxy servers and other redirectors, such as network security devices where HTTP requests reach the target C2 server through the network inside and outside the network.

IOCs

185.225.69.69

srfnetwork.org
reyweb.com
onetechcompany.com


GoldMax
86e89349fefcbdd9d2c80ca30fa85511
9466c865f7498a35e4e1a8f48ef1dffd
3c012e74f56edbc966288925fa133939f9a16e49
72e5fc82b932c5395d06fd2a655a280cf10ac9aa
70d93035b0693b0e4ef65eb7f8529e6385d698759cc5b8666a394b2136cc06eb
0e1f9d4d0884c68ec25dec355140ea1bab434f5ea0f86f2aade34178ff3a7d91
247a733048b6d5361162957f53910ad6653cdef128eb5c87c46f14e7e3e46983
f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c
611458206837560511cb007ab5eeb57047025c2edc0643184561a6bf451e8c2c
b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8
bbd16685917b9b35c7480d5711193c1cd0e4e7ccb0f2bf1fd584c0aebca5ae4c


GoldFinder
0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9


Sibot
7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb
acc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66