Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Sunspot’ Malware Used to Insert Backdoor Into SolarWinds Product in Supply Chain Attack

CrowdStrike, one of the cybersecurity companies called in by IT management firm SolarWinds to investigate the recently disclosed supply chain attack, on Monday shared details about a piece of malware used by the attackers to insert a backdoor into SolarWinds’ Orion product.

CrowdStrike, one of the cybersecurity companies called in by IT management firm SolarWinds to investigate the recently disclosed supply chain attack, on Monday shared details about a piece of malware used by the attackers to insert a backdoor into SolarWinds’ Orion product.

According to CrowdStrike, the threat group behind the attack on SolarWinds used a piece of malware named Sunspot to inject the previously analyzed Sunburst backdoor into the Orion product without being detected.

SolarWinds said the attackers created trojanized Orion updates containing the Sunburst backdoor and delivered them to as many as 18,000 customers. However, it appears that only a few hundred of those customers were of interest to the attackers and received secondary payloads, such as the post-exploitation tool named Teardrop.

An analysis conducted by CrowdStrike revealed that the hackers deployed Sunspot on SolarWinds systems. Sunspot is designed to check every second for the presence of processes associated with the compilation of the Orion product on the compromised system. If such a process is detected, Sunspot replaces a single source code file to include the Sunburst backdoor.

Specifically, Sunspot looks for the MsBuild.exe process, which is associated with Microsoft Visual Studio development tools. If the process is detected, it attempts to determine if it’s being used to build Orion software.

“When SUNSPOT finds the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built,” CrowdStrike explained. “While SUNSPOT supports replacing multiple files, the identified copy only replaces InventoryManager.cs.”

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

CrowdStrike said the attackers sanitized the Sunburst source code and took other steps to increase their chances of avoiding detection by SolarWinds.

Advertisement. Scroll to continue reading.

“The malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are protected using the same key and initialization vector,” the company explained. “As causing build errors would very likely prompt troubleshooting actions from the Orion developers and lead to the adversary’s discovery, the SUNSPOT developers included a hash verification check, likely to ensure the injected backdoored code is compatible with a known source file, and also avoid replacing the file with garbage data from a failed decryption.”

After the SolarWinds breach came to light, many have been wondering exactly who was behind the attack. The U.S. government said it was likely Russia and some reports claimed it may have been the Russia-linked threat group known as APT29 and Cozy Bear. However, CrowdStrike says it currently does not attribute any of the malware used in the SolarWinds attack to a known threat actor, and it has decided to track the campaign as an activity cluster named StellarParticle.

CrowdStrike has made available indicators of compromise (IoC) and information on the tactics, techniques and procedures (TTP) associated with the Sunspot activity.

Also on Monday, Kaspersky reported finding some links between the Sunburst malware, including similarities in code and development choices, and Kazuar, a .NET backdoor that has been around since at least 2015 and which has been attributed to the Russian cyberspy group Turla. However, Kaspersky says it’s unclear if Kazuar and Sunburst have been developed by the same group.

Related: New Zero-Day, Malware Indicate Second Group May Have Targeted SolarWinds

Related: Investigation Launched Into Role of JetBrains Product in SolarWinds Hack: Reports

Related: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.