The investigation and works with associates and customers to gather more information to assemble a lot of data is already continuous by an American multinational company ‘Microsoft’ regarding the threat actor behind the Solarwinds that allow chain act that compromised SolarWinds itself and impacted multiple different organizations. Over 18,000 customers, including American government agencies, are said to have been affected by this massive attack. As a result, on March 8 Microsoft has identified three new pieces of malware that are GOLDMAX, SIBOT, AND GOLDFINDER.
The GoldMax malware has renowned to be attached to networks as a scheduled task pretending to be management system software. It pointed to a subdirectory in program data, with a similar executable name called GoldMax implant. The malware writes an encrypted configuration file to disk using Advanced Encryption algorithm 256 based on 64-encoded and Cipher Feedback encryption mode. Upon execution, GoldMax decodes (Base64) and decrypts (AES-256) the configuration information to reveal a custom organization composed of the subsequent dynamically generated and hard-coded values.
Then, on the Sibot, it is a bidirectional malicious software implemented in VBScript. VBScript is an active scripting language developed by Microsoft that is molded on Visual Basic and it is designed to resolve the affected machine. It automatically downloads and runs a payload on a remote C2 server. The VBScript file is given a name that represents legitimate Windows tasks and is stored either in the compromised system register or in a confusing format on the disk and then runs via a scheduled task. There are three variants of this malware that is Variant A, which installs solely the sibot malware into the default registry value under the registry key. The other is variant B which records a planned task and is programmed to operate daily. The third is variant C which is a stand-alone version of this malware that works directly from a file.
The last malware is GoldFinder which is a customized HTTP tracking tool that records the route or jumps a package takes to reach a hardcoded C2 server. Once launched, the malware sends an HTTP request for a hard-coded IP address and records the HTTP response to a plain-language log file. This malware uses Target (the c2 URL), StatusCode (HTTP response), Headers (HTTP response and their values), and data to store application and response information in the log file.
In the fight against malware, awareness of cyberattacks and possible security measures should be promoted by all the users.
By Navya Swarup (Campus Ambassador, WCSF)