Researchers discovered that the hackers behind the SolarWinds supply-chain breach used two additional sophisticated viruses in their campaigns, which were installed on the victims’ systems much earlier.
What are the new threats that have been discovered?
One of the newly identified dangerous implants, according to CrowdStrike, is a variant of the GoldMax backdoor for Linux computers, and another is a new malware family known as TrailBlazer.
Since mid-2019, StellarParticle campaigns (linked to the APT29 hacking group) have used GoldMax and TrailBlazer. They were only identified two years later, during incident response investigations.
Researchers analysed the User Access Logging (UAL) database during their incident response efforts to uncover previous fraudulent account activities and discovered TrailBlazer malware and GoldMax for Linux.
Although GoldMax for Linux is nearly identical in functionality and implementation to the previously identified Windows counterpart in May 2020, TrailBlazer is a whole new malware family.
Taking a closer look at the new TrailBlazer implant
TrailBlazer uses the Windows Management Instrumentation (WMI) Event Subscriptions to establish persistence while masquerading as a legitimate file name, a technique discovered in 2019.
TrailBlazer communicates with the C2 server by masquerading HTTP requests as legitimate Google Notifications.
It shares similarities with other malware families used by the same threat actor, such as GoldMax and Sunburst, and has modular functionality and a low prevalence.
Procedures, tactics, and techniques
Researchers have provided detailed information about the TTPs observed in cyberattacks in the report.
Credential hopping, hijacking Office 365 Service Principal and Application, bypassing MFA by collecting browser cookies, and stealing credentials with Get-ADReplAccount were all employed by the organisation.
The report details the measures followed by the APT29 group to gain persistence, which allowed them to view any hacked organization’s email and OneDrive/SharePoint files.
Conclusion
The recent discovery of two new harmful implants demonstrates APT29’s capability and sophistication. The team has a broad understanding of Linux, Windows, Microsoft Azure, Office 365, and Active Directory. As a result, enterprises should create a multi-layered defence strategy to stay safe.
