The SunBurst trojan was first reported on December 8th, 2020, and has been making headlines ever since. The Sunburst malware is significant both for its strategic and highly developed malicious logic and for its many targeted high-profile victims.
Reminiscent of the Duqu 2.0 nation-state attack in 2015, which successfully infiltrated Kaspersky, the sophistication of the Sunburst attack is indicative of a nation-state group that is sufficiently well-resourced to conduct the in-depth research and development that it would have necessitated. This is evident in the identification of Orion as a prime target to host a backdoor and the many other multiple evasion techniques that successfully avoided its detection for months in 2020.
Orion, the SolarWinds product that was compromised, was used by about 33,000 public and private sector customers, many of which were Fortune 500 companies and federal government agencies. This entailed the compromised data of many millions of their respective customers causing the event to be of wide public interest.
This post will provide a more elaborate description of the attack flow, as well as additional details about new developments in the battle against SunBurst.
The attackers had silently compromised the SolarWinds’ software development framework/infrastructure used for building Orion’s software updates allowing the adversaries to patch the update packages, specifically its component “SolarWinds.Orion.Core.BusinessLayer.dll”.
Like other updates, the infected Orion Windows Installer patches were available to users for download on SolarWind’s official website.
Once an infected patch installer was executed, the patch’s intended legitimate functionality took place, but the attacker’s code did as well. When the infected DLL was called, the malicious code inserted into it by the threat actors made sure that the SunBurst backdoor would be executed each time the legitimate task was run.
In the short term, the backdoor stayed dormant for 12 to 14 days. Each time the recurring task executed it, it checked if the specified period had passed, and if not- it didn’t execute the malicious part.
Once the time threshold passed, the backdoor-related code ran a series of tests, including comparing the list of running processes against encoded blacklists of security analysis and antivirus related process names, driver paths, and services. If one of the blacklisted processes was running, there would be an attempt to disable it and restart the SunBurst backdoor malware.
If the system passed all the pre-execution tests, the malware would gather information about its execution environment and the domain it resided in and send this information to its command and control (C&C) server. The data was sent to a URL, which was unique per user, as it contained the encoded name of the infected machine’s domain. The URL was a subdomain of avsvmcloud[.]com. SunBurst also checked the IP returned for the requested domain, and if it was in a certain range, the malware terminated itself and made sure that no further executions would take place.
Using the C&C servers, attackers could reply to the end-user malware with commands to execute on the victim machine. If they found a certain domain to be particularly interesting, they would order the backdoor to connect to a different C&C server, from which additional commands could be executed and more malware samples could be downloaded.
The attackers had put a lot of thought into how to evade detection and since it took months to discover their activities, their efforts clearly paid off. Besides staying dormant for 12 to 14 days and refraining from performing malicious activities while certain security processes were running, the malware set hostnames on its C&C infrastructure to match legitimate hostnames from the victim’s environment. This enabled the malware to more effectively blend in the environment and avoid suspicion that could have alerted security analysts if they used different hostnames. Moreover, SunBusrt’s network activity was made to look like it came from the Orion Improvement Program (OIP) protocol and the malware stored reconnaissance information within legitimate plugin configuration files, so it could blend in with legitimate SolarWinds activity. The attackers also used IP addresses from the same country as the victim, using Virtual Private Servers, as out-of-country IPs could arouse suspicion.
Since the attack was first reported, Microsoft has taken substantial measures against the malware and has played an important part in the effort to neutralize it. First, the company removed the digital certificate used to sign the compromised DLL, meaning Windows systems no longer immediately trust this DLL, which is intended to cause some of its executions to fail. Next, Windows Defender was set to detect the malware and alert its presence in a compromised machine.
On December 15th, Microsoft and partners took legal action against the attackers and sinkholed the domain “avsvmcloud[.]com”, which was used as the malware’s C&C server. The domain now redirects to an IP controlled by Microsoft, which, alongside its partners, monitors the IP for incoming connections, and then informs compromised organizations about the breach.
As mentioned earlier, the end-user backdoor checks the returned IP for the C&C domain and if it is in a certain range, a “kill switch” is activated- the malware terminates itself and any plans for further execution of it are canceled. Knowing that Microsoft set the IP returned for the C&C domain to one that will turn this “kill switch” on. However, FireEye warned that in cases it investigated, attackers had established additional persistent mechanisms, which were left unaffected by this action. Their investigation showed the attackers still have a way to connect to victim machines without this backdoor.
If that wasn’t enough, on December 16th, Microsoft changed Windows Defender’s approach towards SunBurst from “Alert” to “Quarantine”.
The attack’s complexity, significance, and publicity caused many to try to analyze it. In the past few days, it was reported that a new backdoor, dubbed “Supernova”, was discovered while analyzing samples of the compromised Orion software. Similar to “SunBurst”, “Supernova” is a backdoor made to be used as a persistence mechanism. The newly discovered malware is file-less – it is compiled and executed in memory, which makes it hard to detect by security products. At this point, not many details are known about “Supernova”, but it is believed to be a part of an attack unrelated to “SunBurst”, since unlike the DLL used to deliver the latter, the DLL used to deliver the former is not signed with a legitimate SolarWinds certificate.
Recently, more organizations confirmed that they were compromised by “SunBurst”. On December 17th, the FBI, DHS-CISA, and the Office of the Director of National Intelligence (ODNI) confirmed in a joint statement, that the backdoor had affected US federal government networks. On December 21st, VMWare confirmed that its network was also compromised by the attack, but claimed that the attackers did not use their access to the network for any additional malicious purposes. Microsoft also confirmed that it found variants of the backdoor in its network, however, the company claimed that there is no evidence that attackers had accessed any customer data or compromised any of its products.
As was mentioned earlier, SunBurst backdoors connected to unique URLs, in which the domain names that they had infiltrated into were encoded. By decoding a list of subdomains generated by the malware, researchers were able to find names of well-known organizations, some of which have yet to disclose if the supply chain attack affected them. These names include Cisco, Intel, and Mediatek.
Deep Instinct is on the alert for any new developments and does everything in its power to ensure our customers are protected from any malicious file that may try to compromise their systems. We are focused on expanding and monitoring all relevant IoCs and making sure Deep Instinct’s advanced endpoint protection solution protects against them.