The continuing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when fresh malware artefacts were discovered that could be leveraged in future supply chain attacks.

The current round of attacks ascribed to the APT29/Nobelium threat actor contains a bespoke downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne.

Juan Andrés Guerrero-Saade, SentinelOne’s chief threat researcher, detailed the latest discovery in a blog post that builds on prior Microsoft and Volexity investigations. “The method of distribution [for the poisoned update installer] is unknown at this time. It’s probable that these update archives are being employed in a regional supply chain attack, according to Guerrero-Saade.

According to Saade, the most recent incarnation of malware related to Nobelium employs a convoluted multi-stage infection chain with five to six levels. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless’ downloaders.

The Cobalt Strike Beacon payload, according to Guerrero-study Saade’s of the campaign, serves as a “early scout” that allows for the targeted dissemination of unique payloads directly into memory. “After years of wasted iterations on proprietary toolkits, [this APT] has decided to maximise return on investment by simply minimising their initial outlay.”

“Because we don’t have visibility into its distribution channels, we won’t call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this localised solution directly. “Alternatively, the attackers may have found a way to disseminate their malicious ‘update’ by leveraging an internal resource,” Guerrero-Saade stated.