New Blog Post | GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence

%3CLINGO-SUB%20id%3D%22lingo-sub-2185493%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20GoldMax%2C%20GoldFinder%2C%20and%20Sibot%3A%20Analyzing%20NOBELIUM%E2%80%99s%20layered%20persistence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2185493%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F04%2Fgoldmax-goldfinder-sibot-analyzing-nobelium-malware%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGoldMax%2C%20GoldFinder%2C%20and%20Sibot%3A%20Analyzing%20NOBELIUM%E2%80%99s%20layered%20persistence%20-%20Microsoft%20Security%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAuthor(s)%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%20class%3D%22authors%22%3E%0A%3CLI%20class%3D%22author-item%22%3E%3CSPAN%20class%3D%22author-name%20x-hidden-focus%22%3ERamin%20Nafisi%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22author-title%22%3EMicrosoft%20Threat%20Intelligence%20Center%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20class%3D%22author-item%22%3E%3CSPAN%20class%3D%22author-name%22%3EAndrea%20Lelli%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22author-title%22%3EMicrosoft%20365%20Defender%20Research%20Team%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20class%3D%22author-item%22%3E%3CSPAN%20class%3D%22author-name%22%3EMicrosoft%20Threat%20Intelligence%20Center%20(MSTIC)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20class%3D%22author-item%20x-hidden-focus%22%3E%3CSPAN%20class%3D%22author-name%22%3EMicrosoft%20365%20Defender%20Threat%20Intelligence%20Team%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22author-name%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221614877328557.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260926i14891B17284E12D9%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%221614877328557.png%22%20alt%3D%221614877328557.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author-name%22%3E%3CSPAN%3EMicrosoft%20continues%20to%20work%20with%20partners%20and%20customers%20to%20expand%20our%20knowledge%20of%20the%20threat%20actor%20behind%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.microsoft.com%2Fon-the-issues%2F2020%2F12%2F13%2Fcustomers-protect-nation-state-cyberattacks%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Enation-state%20cyberattacks%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bthat%20compromised%20the%20supply%20chain%20of%20SolarWinds%20and%20impacted%20multiple%20other%20organizations.%20As%20we%20have%20shared%20previously%2C%20we%20have%20observed%20the%20threat%20actor%20using%20both%20backdoor%20and%20other%20malware%20implants%20to%20establish%20sustained%20access%20to%20affected%20networks.%20As%20part%20of%20our%20commitment%20to%20transparency%20and%20intelligence-sharing%20in%20the%20defender%20community%2C%20we%20continue%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2020%2F12%2F21%2Fdecember-21st-2020-solorigate-resource-center%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eupdate%20analysis%20and%20investigative%20resources%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bas%20we%20discover%20new%20tactics%20and%20techniques%20used%20by%20the%20threat%20actor.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2185493%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security

Author(s):

  • Ramin Nafisi Microsoft Threat Intelligence Center
  • Andrea Lelli Microsoft 365 Defender Research Team
  • Microsoft Threat Intelligence Center (MSTIC)
  • Microsoft 365 Defender Threat Intelligence Team

1614877328557.png

Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. As we have shared previously, we have observed the threat actor using both backdoor and other malware implants to establish sustained access to affected networks. As part of our commitment to transparency and intelligence-sharing in the defender community, we continue to update analysis and investigative resources as we discover new tactics and techniques used by the threat actor.

0 Replies