Skip to main content

Microsoft has discovered yet more SolarWinds malware

Zero-day attack
(Image credit: Shutterstock.com)
Audio player loading…

Microsoft has released its current findings into the SolarWinds attack that continues to shake the global cybersecurity industry. 

So far, the technology firm has been able to outline attack methods, malware (opens in new tab) strains, and mitigation strategies but continues to stress that the full extent of the cyberattack remains unknown.

According to Microsoft’s investigation, the SolarWinds attack was able to take place due to a compromised DLL file associated with the Orion infrastructure management platform. The insertion of malicious code into this file created a backdoor for hackers to exploit, allowing them to subsequently carry out a hands-on keyboard attack.

“In many of their actions, the attackers took steps to maintain a low profile,” the Microsoft 365 Defender Research Team explained (opens in new tab). “For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers named OrionImprovementBusinessLayer to blend in with the rest of the code. The class contains all the backdoor capabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.”

More malware

In a detailed blog post, Microsoft continued by explaining that the DLL backdoor allows attackers to deliver second-stage payloads. Altogether, the technology giant has highlighted several malware strains affecting the SolarWinds platform.

The SolarWinds attack caused huge headlines when it broke last week (opens in new tab), with high-level US Government agencies among those affected. US Secretary of State Mike Pompeo has recently (opens in new tab) come out in support of accusations blaming Russia for the cyberattack.

Fortunately, Microsoft Defender has been equipped to block the malicious SolarWinds DLL. The antivirus program will also isolate associated malware, even if the process is still running.

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.