Microsoft has started tracking the threat actor behind the SolarWinds attack as NOBELIUM. The company has identified three new pieces of malware that it believes are used by the group after they have compromised the targeted organization’s network. The malware, named GoldMax, GoldFinder and Sibot, has been used to maintain persistence and for other “very specific” actions.
GoldMax, a malware developed in Go and designed to act as a command and control backdoor, persists by creating a scheduled task that impersonates system management software. The malware allows its operators to download and execute files on the compromised device, upload files to the C&C server, execute OS commands, spawn a command shell, and update the malware’s configuration data.