Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

SolarWinds Hackers Use New Malware in Recent Attacks

The threat group believed to be responsible for the attack on IT management company SolarWinds has developed new malware as it continues to target organizations that possess data relevant to Russian interests.

The threat group believed to be responsible for the attack on IT management company SolarWinds has developed new malware as it continues to target organizations that possess data relevant to Russian interests.

One year has passed since the discovery of the breach at SolarWinds and — despite their activities being analyzed and exposed by cybersecurity companies and researchers — the threat actor that launched the attack continues to target governments and private businesses, with their main goal apparently being the theft of data that could be useful to the Russian government.

Incident response and threat intelligence firm Mandiant on Monday published a new report describing the threat group’s most recent activities. The company tracks the threat actor and apparently related activity clusters as UNC2452, UNC3004 and UNC2652. Microsoft tracks the group as Nobelium, while others have linked the attacks to APT29 and Cozy Bear. There is wide consensus that the activity is conducted by a Russian intelligence agency.

In its new report, Mandiant reveals that the hackers have been using a new, custom downloader named CEELOADER. The malware is installed using the Cobalt Strike Beacon implant and it serves as a downloader that decrypts a shellcode payload executed in the compromised device’s memory.

Luke Jenkins, senior analyst at Mandiant, told SecurityWeek that CEELOADER was first identified on victims’ systems in the third quarter of 2021.

Jenkins noted that Microsoft currently tracks the malware as a variant of VaporRage, which the tech giant described in May. However, the expert has pointed out that while CEELOADER does share some similarities with VaporRage — they both function as a downloader for a second-stage encrypted payload — CEELOADER has junk code and other changes to make analysis more difficult. In addition, CEELOADER uses AES-256 to encrypt payloads, whereas VaporRage relies on a basic XOR algorithm.

“The use of CEELOADER continues to demonstrate that this threat actor is well resourced and when needed, can develop custom malware to fit their needs,” Jenkins said.

Doug Bienstock, incident response manager at Mandiant, said in an email that the threat actor’s targeting has largely remained consistent over the last few months.

Advertisement. Scroll to continue reading.

“The threat actor is ultimately interested in government, consulting, and NGOs that have data of interest to the Russian government,” Bienstock said.

In its latest report, Mandiant also described the group’s use of credentials likely obtained from an info-stealer malware typically used by cybercriminals, and methods used to bypass multi-factor authentication. The report also describes the use of accounts with application impersonation privileges for harvesting mail data, the use of residential IP proxy services and newly provisioned geo-located infrastructure to communicate with compromised systems, and new methods used by the attackers to bypass security restrictions.

Despite their operations being exposed following the SolarWinds supply chain attack, the cyberspies have continued targeting companies that provide tech solutions and services in an effort to reach their targets.

In an October report on Nobelium activities, Microsoft said it had informed more than 600 customers about roughly 23,000 attacks since July.

On Monday, France’s national cybersecurity agency ANSSI also issued an alert regarding Nobelium attacks. The agency warned that it had been aware of phishing campaigns aimed at French entities since February 2021. ANSSI has made available indicators of compromise (IoCs) and other information associated with the attacks.

“These campaigns have succeeded in compromising email accounts belonging to French organisations, and then using these to send weaponised emails to foreign institutions. Moreover, French public organisations have also been recipients of spoofed emails sent from supposedly compromised foreign institutions,” the agency said.

Related: Microsoft Details FoggyWeb Backdoor Used by SolarWinds Hackers

Related: SolarWinds Hackers Impersonate U.S. Government Agency in New Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...