UNC2452 (Nobelium) Threat Group Uses GoldMax, GoldFinder, and Sibot Malware

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by the UNC2452 (also known as Nobelium, Dark Halo, SolarStorm, and StellarParticle) Advanced Persistent Threat (APT) Group. UNC2452 is believed to be a Russian government-sponsored threat group that has targeted victims in North America, Europe, Asia, and the Middle East. The majority of the group's targets are government, consulting, technology, and telecom sectors. UNC2452 (Nobelium) uses several tools in their attack campaigns, including SUNBURST, SUNSPOT, SUPERNOVA, TEARDROP, RAINDROP, SOLARFLARE, SUNSHUTTLE, Cobalt Strike, and Mimikatz.

Three Malware Used by UNC2452  Was Revealed

Let’s remember the UNC2452 group. In December 2020, the security firm FireEye suffered a data breach (read more: How to Defend Against FireEye’s Red Team Tool). When they looked at how the hack occurred, they discovered that it was caused by a malicious software update to the SolarWinds Orion platform – a supply-chain attack (read more: TTPs Used in the SolarWinds Breach). FireEye also discovered they were just one example of a major breach at dozens of organizations, many of which are government and military entities, after following the malicious infrastructure.

Microsoft identified three malware families used in the SolarWinds Orion espionage attacks dubbed "Solorigate", while Microsoft security researchers have renamed it "Nobelium [1]." They are tailored for various types of networks and may have been on compromised systems since June 2020.

GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.

Sibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.

GoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.

Picus Labs has updated the Picus Threat Library with GoldMax, Sibot, and GoldFinder malware samples used by the UNC2452 threat group.

Picus ID

Threat Name

738336

GoldFinder Trojan used by UNC2452 .EXE File Download Variant-3

851584

GoldFinder Trojan used by UNC2452 .EXE File Download Variant-2

410507

GoldFinder Trojan used by UNC2452 .EXE File Download Variant-1

257392

 GoldMax Backdoor Trojan used by UNC2452 .EXE File Download Variant-3

488977

 GoldMax Backdoor Trojan used by UNC2452 .EXE File Download Variant-2

448429

 GoldMax Backdoor Trojan used by UNC2452 .EXE File Download Variant-1

517293

Sibot Trojan used by UNC2452 .VBS File Download Variant-3

381580

Sibot Trojan used by UNC2452 .VBS File Download Variant-2

674306

Sibot Trojan used by UNC2452 .VBS File Download Variant-1

Other Threats of UNC2452 in Picus Threat Library

Picus Threat Library consists of 18 threats of the UNC2452 (Nobelium) threat actor, including:

  • UNC2452 Threat Group SolarWinds/SUNBURST Campaign Attack Scenario
  • SolarWinds Orion Local File Inclusion (LFI) Vulnerability
  • Sunburst Backdoor used in Global Intrusion Campaign

 MITRE ATT&CK Techniques used by UNC2452 in This Campaign

GoldMax

  • Persistence
    • Kernel Modules and Extensions
  • Defense Evasion
    • Modify Registry
    • Query Registry
  • Discovery
    • Commonly Used Port
  • Command and Control
    • Software Packing
  • Execution
    • Local Job Scheduling
    • Hooking
  • Persistence
    • Hooking
    • Scripting
  • Privilege Escalation
    • Hooking
  • Defense Evasion
    • Scripting
  • Credential Access
    • Local Job Scheduling
  • Persistence
    • Hooking
    • Kernel Modules and Extensions
  • Privilege Escalation
    • Hooking
  • Defense Evasion
    • Deobfuscate/Decode Files or Information
    • Modify Registry
    • Software Packing
    • Virtualization/Sandbox Evasion
  • Credential Access
    • Hooking
  • Discovery
    • Query Registry
    • Virtualization/Sandbox Evasion
  • Command and Control
    • Commonly Used Port

References

[1] https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobeliummalware/

Subscribe

Keep up to date with latest blog posts