SolarWinds Mega-Hack Took the Discovery of New Malware Artifacts

The continuing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when fresh malware artefacts were discovered that could be leveraged in future supply chain attacks.

The current round of attacks ascribed to the APT29/Nobelium threat actor contains a bespoke downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne.

Juan Andrés Guerrero-Saade, SentinelOne’s chief threat researcher, detailed the latest discovery in a blog post that builds on prior Microsoft and Volexity investigations. “The method of distribution [for the poisoned update installer] is unknown at this time. It’s probable that these update archives are being employed in a regional supply chain attack, according to Guerrero-Saade.

According to Saade, the most recent incarnation of malware related to Nobelium employs a convoluted multi-stage infection chain with five to six levels. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless’ downloaders.

The Cobalt Strike Beacon payload, according to Guerrero-study Saade’s of the campaign, serves as a “early scout” that allows for the targeted dissemination of unique payloads directly into memory. “After years of wasted iterations on proprietary toolkits, [this APT] has decided to maximise return on investment by simply minimising their initial outlay.”

“Because we don’t have visibility into its distribution channels, we won’t call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this localised solution directly. “Alternatively, the attackers may have found a way to disseminate their malicious ‘update’ by leveraging an internal resource,” Guerrero-Saade stated.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.