Ongoing multi-vendor investigations into the SolarWinds megahack took another turn this week with the discovery of new malware artifacts that could be used in future supply chain attacks. According to a new report, the latest wave of attacks attributed to the Nobelium threat actor includes a custom downloader that is part of a “poisoned update installers” for electronic keys used by the Ukrainian government.
Sentinel, one of the leading threat researchers, Juan Andrés Guerrero-Saade, documented the latest finding in a blog post that advances previous Microsoft and Volexity investigations. “At this time, the means of distribution of the poisoned update installers are unknown. It is possible that these update files are being used as part of a specific regional supply chain attack.
In particular, one of these NativeZone downloaders is being used as part of a nifty poisoned installer targeting Ukrainian government security applications. A zip file is used to package legitimate components together with a malicious DLL, the malicious KM.Filesystem.dll was designed to impersonate a legitimate component of the cryptographic keys of the Ukraine Institute of Technology of the same name. It even mimics the same two exported functions as the original.
We do not refer to this as a supply chain attack, as we lack visibility into their means of distribution. The poisoned installer can be delivered directly to the relevant victims who depend on this regional solution. Alternatively, the attackers may have found a way to abuse an internal resource to distribute their malicious update.
Check also:
Snip3 tool that enchances the dangerous RAT threat
Vovalex – Ransomware posing as Windows utilities
