In this technique, malicious Office documents containing VBA code are saved within streams of CFBF files, with VBA macros saving data in a hierarchy including various types of streams.
In a recent attack, the group has been observed actively using a newly developed Internet Relay Chat (IRC) bot dubbed TNTbotinger, which can be used to perform DDoS attacks.
The recent attacks use payloads hosted on a new GitHub repository, which includes a Linux-based cryptominer, a list of passwords for brute-force attacks, and a statically linked Python 3.9 interpreter.
The attackers made changes to software installers available for download from a Vietnam government website. In addition, they added a backdoor to target users of a legitimate application.
The recent supply chain attack has proven to be one of the most damaging attacks of 2020. Several distinct malware families have emerged in relation to the compromise. These include the SUNBURST backdoor, SUPERNOVA, COSMICGALE & TEARDROP.
The digital landscape is far too complex for those who rely on it—us—to monitor all the ways we’re exposed. Major factors determining whether our data will be used against us are completely out of our control.
These extensions installed in more than 8 million users’ browsers accessed a remote server in the background, trying to download malicious code, a process that our security solutions detect as dangerous.
SolarWinds has released an updated security advisory for the additional SuperNova malware discovered to have been distributed through the company’s network management platform.
Before reaching out to its C2 server, SUNBURST performs numerous checks to ensure no analysis tools are present. It checks process names, file write timestamps, and Active Directory (AD) domains before proceeding.
The Sponsors are acquiring the business from previous investors Paladin Capital Group, Grotech Ventures, and other shareholders, and the acquisition follows Goldman Sachs’ and ClearSky’s initial investment in the Company earlier this year.