Two things from this article. 1. SolarWinds really is the gift that keeps on giving. 2. The rush to attribution at the moment a hack is discovered is foolish. It takes time to uncover what’s really happened…:
According to Microsoft, these malware strains come with the following capabilities:
- GoldMax: Go-based malware used as a command-and-control backdoor for hiding malicious activity and evading detection. It also has a decoy network traffic generator for concealing malicious network traffic with seemingly benign traffic.
- Sibot: VBScript-based malware used for maintaining persistence and downloading additional malware payloads using a second-stage script
- GoldFinder: Go-based malware “most likely” used as a custom HTTP tracer tool for detecting servers and redirectors like network security devices between the infected devices and C2 server.
Earlier today, FireEye also shared information on another new second-stage backdoor discovered on the servers of an organization compromised by the SolarWinds hackers.