Skip to main content

Microsoft has discovered yet more SolarWinds malware

Zero-day attack
(Image credit: Shutterstock.com)

Microsoft has released its current findings into the SolarWinds attack that continues to shake the global cybersecurity industry. 

So far, the technology firm has been able to outline attack methods, malware strains, and mitigation strategies but continues to stress that the full extent of the cyberattack remains unknown.

According to Microsoft’s investigation, the SolarWinds attack was able to take place due to a compromised DLL file associated with the Orion infrastructure management platform. The insertion of malicious code into this file created a backdoor for hackers to exploit, allowing them to subsequently carry out a hands-on keyboard attack.

“In many of their actions, the attackers took steps to maintain a low profile,” the Microsoft 365 Defender Research Team explained. “For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers named OrionImprovementBusinessLayer to blend in with the rest of the code. The class contains all the backdoor capabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.”

More malware

In a detailed blog post, Microsoft continued by explaining that the DLL backdoor allows attackers to deliver second-stage payloads. Altogether, the technology giant has highlighted several malware strains affecting the SolarWinds platform.

The SolarWinds attack caused huge headlines when it broke last week, with high-level US Government agencies among those affected. US Secretary of State Mike Pompeo has recently come out in support of accusations blaming Russia for the cyberattack.

Fortunately, Microsoft Defender has been equipped to block the malicious SolarWinds DLL. The antivirus program will also isolate associated malware, even if the process is still running.