Infosec researchers from Microsoft and the cybersecurity company FireEye are continuing to monitor the activities of the hacker collective that was responsible for the massive supply-chain attack against SolarWinds that took place last year. The continued efforts have allowed the two companies to discover several newly deployed threatening tools by the group. One of the is GoldMax (Sunshuttle) - a second stage backdoor threat.
Microsoft initially gave the threat actor the name Solarigate but has since changed it to Nobelium. FireEye designated the hacker group with UNC2542. The ATP (Advanced Persistence Threat) group had managed to affect 18,000 SolarWinds customers through the threatening campaign. The cybercriminals are not slowing down and have revealed a slew of custom-built malware additions to their arsenal.
So far, the initial breach vector used to deliver the GoldMax backdoor hasn't been determined. The researchers, however, were able to uncover the most important function of the threat that distinguishes it from similar malware - GoldMax/Sunshuttle employs a novel detection-evasion technique that helps it to better blend its abnormal traffic with the one normally generated by the compromised organization. The threat can select referrers from a list of legitimate websites that include Google.com, Facebook.com, Bing.com and Yahoo.com.
The first action of GoldMax/Sunshuttle after being executed is to enumerate the target's MAC address and compare it to a specific hard coded MAC address value. If a match occurs, the threat will terminate its activity. Otherwise, it proceeds to extract the configuration settings of the infected system. The next step is to request and then receive a session key from the Command-and-Control (C2, C&C) servers. Researchers speculate that the session key is most likely used to encrypt certain content.
When fully established, GoldMax/Sunshuttle can be told to remotely update its configuration or be used by the attackers to fetch or exfiltrate files and execute arbitrary commands.