Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack...
Figure 4. The inserted malicious code runs within a parallel thread.
> The modification to this function is very lightweight and could be easily overlooked—all it does is to execute the method OrionImprovementBusinessLayer.Initialize within a parallel thread, so that the normal execution flow of RefreshInternal is not altered.
Microsoft 365 Defender Research Team
Microsoft Threat Intelligence Center page ...
.
Notice what the code really does: Allows hackers a backdoor to 'elevate privileges' [hello object-capabilities...]
> As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.