Poisoned Installers Found in SolarWinds Hackers Toolkit

The ongoing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when additional malware artifacts were discovered that could be leveraged in future supply chain operations. 

The current session of attacks linked to the APT29/Nobelium threat actor contains a custom downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne. 

Juan Andrés Guerrero-Saade, SentinelOne’s principal threat researcher, detailed the latest discovery in a blog post that extends on prior Microsoft and Volexity investigations. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade stated. 

According to Guerrero-Saade, the most recent iteration of malware related to Nobelium uses a convoluted multi-stage infection chain with five to six layers. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless’ downloaders. 

The Cobalt Strike Beacon payload, according to Guerrero-Saade’s analysis of the campaign, serves as an “early scout” that allows for the targeted dissemination of unique payloads directly into memory. “After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.” 

Furthermore, he added, because they don’t have visibility into its distribution channels, they won’t call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this regional solution directly. Alternatively, the attackers may have found a way to disseminate their malicious ‘update’ by abusing an internal resource. 

Background 

A Russia-linked threat group was suspected of being behind the SolarWinds hack seen initiating a new campaign. The attacks involved a genuine bulk mailing service and impersonation of a government entity, and they targeted the United States and other countries.

Microsoft tracked the threat actor as Nobelium, and incident response firm Volexity, which discovered some similarities to APT29, a prominent cyberspy outfit previously linked to Russia, evaluated the recent assault. 

Government agencies, think tanks, NGOs, and consultants were among the target groups. Microsoft stated at least a quarter of the targets are involved in human rights and international development work.