The Nobelium APT became a major player on the cyber-espionage landscape last year when the previously unknown hacker group carried out a massive supply-chain attack against the software developer SolarWinds. At the time, Microsoft assigned the name Solarigate to the hacker collective but later changed it to Nobelium. The cybersecurity company FireEye tracks the activity of the group under the UNC2542 designation.
The SolarWinds Attack
The hack against SolarWinds, saw Nobelium deploy four different malware strains that helped them orchestrate the supply-chain attack. First, the hackers dropped the Sunspot malware on a build server immediately after the breach of SolarWinds' network occurred. The malware strain was designed with a singular purpose - to lay in wait on the build server until it detects a build command that assembled one of SolarWinds' main products - the IT resources monitoring platform Orion. At the time over 33,000 customers were using Orion. When Sunspot identifies the right circumstances to activate, it would stealthily replace certain source code files with corrupted ones that were responsible for loading the next-stage payload - the Sunburst malware. As a result, the now trojanized version of Orion was distributed to the company's clients who then infected their internal networks upon executing it.
Sunburst acted as a reconnaissance tool that collected data from the systems of the compromised organization and then relayed it back to the hackers. The gathered information was then used by Nobelium to decide whether the specific victim was important enough to warrant further escalation of the attack. Those that were deemed worth the risk were subjected to the final phase of the attack which consisted of deploying the more powerful Teardrop backdoor. Simultaneously with the delivery of Teardrop, Sunburst was instructed to delete itself to reduce the attacker's footprint on the compromised system. On a select few victims, the hackers delivered a malware strain that mirrored Teardrop functionally but differed in its underlying code drastically. Called Raindrop, this malware threat baffled the researchers as they couldn't determine its entry point, unlike Teardrop which was dropped directly by the previous-stage Sunburst malware. GoldMax
Researchers Uncover New Nobelium-Related Malware Strains
The Nobelium hackers are not slowing down their activities, as revealed by Microsoft and the FireEye security company who are still monitoring the group. The researchers have witnessed several new custom-build malware strains that have been added to the arsenal of cybercriminals. These include:
- GoldMax/Sunshuttle Malware - a sophisticated backdoor threat. Its main feature is the ability to blend the traffic caused by its communication with the C2 servers by selecting referrers from a list of legitimate website URLs that include the likes of Google.com, Facebook.com, Yahoo.com and Bing.com.
- The Sibot Malware - a second-stage dropper that is tasked with achieving persistence and then fetching and executing the next-stage payload from the C2 servers. Its threatening VBScript file assumes a name similar to a legitimate Windows task and is then stored in either the Registry or in an obfuscated format on the disk of the breached system.
- The GoldFinder Malware - highly-specialized malware strain that acts as an HTTP tracer tool. The threat maps out the exact route that packets take on their way to the C2 servers. GoldFinder can then alert the Nobelium hackers of any HTTP proxy servers or other redirections caused by network security devices deployed by the compromised organization.
Nobelium is continuing to unleash more custom-made tools that help them better achieve their threatening goals. The hackers already managed to compromise over 18,000 of the customers of SolarWinds. Among the victims were prominent tech companies and US government agencies.