Researchers revealed that the hackers behind the SolarWinds supply-chain compromise have been using two other sophisticated malware in their campaigns that were deployed much before on the systems of the victims.
What are the newly discovered threats?
According to CrowdStrike, one of the newly discovered malicious implants is a variant of the GoldMax backdoor for Linux systems and another is a new malware family that is now being tracked as TrailBlazer.
GoldMax and TrailBlazer have been used in StellarParticle campaigns (linked to the APT29 hacking group) since mid-2019. However, they were discovered after two years during incident response investigations.
During their incident response work, researchers used the User Access Logging (UAL) database to spot earlier malicious account usage and discovered TrailBlazer malware and GoldMax for Linux.
TrailBlazer is a completely new malware family, although GoldMax for Linux is almost the same in functionality and implementation as the previously discovered Windows variant in May 2020.
Diving into the new TrailBlazer implant
TrailBlazer disguised as a genuine file name and establishes persistence using the Windows Management Instrumentation (WMI) Event Subscriptions, a technique that was spotted in 2019.
TrailBlazer communicates with the C2 server by masking it as genuine Google Notifications HTTP requests.
It has modular functionality and very low prevalence, and shares similarities with other malware families used by the same threat actor such as GoldMax and Sunburst.
Tactics, techniques, and procedures
In the report, researchers have provided detailed information regarding the TTPs observed in cyberattacks.
The group used credential hopping, hijacked Office 365 Service Principal and Application, bypassed MFA by stealing browser cookies, and stole credentials with Get-ADReplAccount.
The report describes the steps taken by the APT29 group to obtain persistence that allowed them to read any email and OneDrive/SharePoint files of the compromised organization.
Conclusion
The recent discovery of two new malicious implants shows how capable and advanced APT29 is. The group has vast knowledge about Linux, Windows, Microsoft Azure, Office 365, and Active Directory. Thus, organizations are recommended to implement a multi-layered defense strategy to stay protected.