The ongoing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when additional malware artifacts were discovered that could be leveraged in future supply chain operations.
The current session of attacks linked to the APT29/Nobelium threat actor contains a custom downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne.
Juan Andrés Guerrero-Saade, SentinelOne’s principal threat researcher, detailed the latest discovery in a blog post that extends on prior Microsoft and Volexity investigations. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade stated.
According to Guerrero-Saade, the most recent iteration of malware related to Nobelium uses a convoluted multi-stage infection chain with five to six layers. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless’ downloaders.
The Cobalt Strike Beacon payload, according to Guerrero-Saade’s analysis of the campaign, serves as an “early scout” that allows for the targeted dissemination of unique payloads directly into memory.
“After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.”
“After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.”
Furthermore, he added, because they don’t have visibility into its distribution channels, they won’t call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this regional solution directly. Alternatively, the attackers may have found a way to disseminate their malicious ‘update’ by abusing an internal resource.
Background
A Russia-linked threat group was suspected of being behind the SolarWinds hack seen initiating a new campaign. The attacks involved a genuine bulk mailing service and impersonation of a government entity, and they targeted the United States and other countries.
Microsoft tracked the threat actor as Nobelium, and incident response firm Volexity, which discovered some similarities to APT29, a prominent cyberspy outfit previously linked to Russia, evaluated the recent assault.
Government agencies, think tanks, NGOs, and consultants were among the target groups. Microsoft stated at least a quarter of the targets are involved in human rights and international development work.
