As reported by our friend at The Register here
Another form of malware has been spotted on servers backdoored in the SolarWinds’ Orion fiasco.
The strain, identified as SUNSHUTTLE by FireEye, is a second-stage backdoor written in Go which uses HTTPS to communicate with a command-and-control server for data exfiltration, adding new code as needed. Someone based in the US, perhaps at an infected organization, uploaded the malware to a public malware repository in August last year for analysis, well before the cyber-spying campaign became public.
Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, warned it could take 18 months to clean up this mess, and that’s looking increasingly likely.