Ever since the attack using SolarWinds components became known last December, researchers have continued to analyze its wake. Not only to uncover its scope, but also to understand all of its parts and thus improve the detection systems to avoid future attacks.
In particular, the SUNBURST Backdoor and the TEARDROP malware have been detected so far. On March 4th, three new pieces of the puzzle were unveiled in the form of new malware linked to these actions.
The new malware artifacts would be primarily designed for persistence and employ obfuscation and encryption mechanisms. The Microsoft and FireEye reports detail the new findings, which we will summarize below. They are called GoldMax, Sibot and GoldFinder, and two of them are programmed in Go.
Several articles have pointed to the increase in malware written in Go, which has risen by up to 2000% in the last four years, according to some sources. The most notorious attack in recent months has also reflected this fact, in this case through the newly identified malware called GoldMax (or SUNSHUTTLE) and GoldFinder.
GoldMax is a malware written in Go that acts as a backdoor to enable communication with the command and control server (C2). It employs several obfuscation and encryption techniques, for the latter of which it uses keys that it generates based on the characteristics of the infected computer (e.g. environment variables and information about the network).
A characteristic observed in all the samples up until now is that it checks if any of the MAC addresses has the value "c8:27:cc:c2:37:5a” and, if so, it ends its execution, since it is the MAC address of the Microsoft Hyper-V default network adapter, which would indicate that the sample could be being analyzed.
The domains used by the C2 have a high reputation and high prevalence, in order to avoid detection by those mechanisms that discard long-lived domains with a high reputation. These could be acquired by the attackers from domain resellers so that the domain goes unnoticed by the victim.
Figure 1. Domains used in one of the samples
Adaptive configuration file
GoldMax uses a temporary file with a .tmp extension with the configuration data (e.g. features.dat.tmp, config.dat.tmp), and this file can be updated by the C2 server by means of commands. The configuration data is saved in AES-256 CFB mode encryption and is Base64 encoded. The key used for encryption varies depending on the version of GoldMax.
Furthermore, as part of the configuration data, the malware has an activation date/time value, which, although it usually has a value of 0 by default, is also configurable through the C2. In general, researchers have observed the following parameters:
- MD5 hash of the timestamp calculated during execution
- Limits (low-high) used to randomly generate rest times
- 0 or 1 - To use traffic concealment mechanisms
- Activation of the timestamp
- Agent to be used for HTTPS requests (e.g. Mozilla).
C2 traffic concealment mechanisms
To make detection more difficult, it incorporates the network traffic generation functionality. It creates decoy traffic that is sent to disguise the traffic with the C2 server. As mentioned, this feature can also be edited from the configuration file.
Communication with the C2 server is encrypted, using a session key that the client (victim) receives from the server after sending a unique HTTP Cookie for each infected computer and some specific steps carried out as part of a challenge-response protocol.
The header of the Cookie contains information for the C2 server, as an out-of-band channel, another obfuscation mechanism, in this case aimed at hiding the purpose of the message exchange.
Figure 2. Meaning of the visible values in the header of the Cookie. Source: FireEye
Sibot malware is written in VBScript. Its objective is to guarantee persistence and download and execute a payload from the C2 server.
In this case, the malware masquerades as a legitimate Windows task and uses the registry for persistence, or is saved to an obfuscated file on disk. It is Windows' own task mechanism that will execute the malware.
The current Sibot samples download a DLL into a folder inside System32, they rename the artifact with ".sys" and run it with rundll32. At the date the article was written, there are three variants of Sibot.
Figure 3. Sibot variants. Source: Microsoft
Just like GoldMax, GoldFinder is written in Go. In this case, the malware is an HTTP request traceability tool. The objective is to identify possible redirections of traffic that could be due to devices or solutions that can be used as network security measures, such as HTTP proxy servers.
GoldFinder will save the results of its checks in a log file, including those actions carried out by other malware, such as GoldMax's communications with the C2 server.
Researchers have discovered new forms of malware on infected computers during the attack conducted through malicious software hosted by cyber attackers in SolarWinds updates. In this case, there are three new malware artifacts, dubbed: GoldMax, Sibot and GoldFinder.
The techniques used for persistence, mainly in GoldMax and Sibot, are known and documented. GoldFinder is interesting in that it can be seen as the defender of installed malware. It is not the only technique that malware can use to defend itself. The combination of all these artifacts as part of the same attack is interesting, an attack that continues to be scrutinized by analysts and from which new findings may emerge.