Microsoft links new malware to SolarWinds hackers

Microsoft links new malware to SolarWinds hackers

Microsoft released details on later-stage malware the company says was used by the group behind the SolarWinds espionage campaign. (Microsoft)

Microsoft released details Thursday on later-stage malware the company says was used by the group behind the SolarWinds espionage campaign that breached several government agencies and private firms including Microsoft and FireEye.


A coordinated blog from FireEye provided a separate deep dive on one of the malware strains in the Microsoft post, but the firm was less confident about attributing it to the SolarWinds campaign. According to its blog, FireEye obtained a sample from a malware repository.


Microsoft, who is now tracking this hacker group as Nobelium, said it discovered three new samples of malware apparently active in some compromised customer networks between August and September of last year.


“These capabilities differ from previously known Nobelium tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams,” wrote Microsoft.


Lawmakers and vendors alike believe Nobelium to be a facet of Russian intelligence.


The two Nobelium strains outlined by Microsoft but not by FireEye are Sibot and GoldFinder. Sibot is a dual-use VBScript program that comes in three variants. All three download a malicious DLL from a compromised website. It runs the DLL using Win32_Process WMI, making it harder to trace back to Sibot, which then c ..