In the process of analyzing the malware responsible for the high-profile SolarWinds hack, Microsoft has discovered that the compromised software, Orion, was also infected with another, completely unrelated malware.
In a detailed analysis of the malware, published on the Microsoft blog, the company said that it found a “small persistence backdoor in the form of a DLL file named App_Web_logoimagehandler.ashx.b6031896.dll.”
"Likely unrelated to this compromise and used by a different threat actor,” the malware is programmed to allow remote code execution through SolarWinds’ web application server, when installed in the folder “inetpub\SolarWinds\bin\”. Microsoft said that, due to the fact that the DLL doesn’t have a digital signature, it most likely isn’t related to the supply chain compromise.
Still, the infected DLL can receive a C# script from a web request, then compile and execute it.
Recently, cybersecurity experts from FireEye found that the latest update for SolarWinds’ Orion offering was compromised. The patch was served to hundreds of thousands of organizations, with 18,000 falling victim, including Microsoft.
It was later suggested that the breach originated from a compromised Office 365 account.
Due to the fact that US government agencies were among the affected organizations, the breach has been described as among the most significant of the year.
Cybersecurity experts said the methodology behind the attack was unprecedented and are suggesting that state-sponsored attackers are responsible. The Russian APT29 group has been blamed by some, but the country has been silent on the matter.