CrowdStrike, one of the cybersecurity companies called in by IT management firm SolarWinds to investigate the recently disclosed supply chain attack, on Monday shared details about a piece of malware used by the attackers to insert a backdoor into SolarWinds’ Orion product.
According to CrowdStrike, the threat group behind the attack on SolarWinds used a piece of malware named Sunspot to inject the previously analyzed Sunburst backdoor into the Orion product without being detected.
SolarWinds said the attackers created trojanized Orion updates containing the Sunburst backdoor and delivered them to as many as 18,000 customers. However, it appears that only a few hundred of those customers were of interest to the attackers and received secondary payloads, such as the post-exploitation tool named Teardrop.
An analysis conducted by CrowdStrike revealed that the hackers deployed Sunspot on SolarWinds systems. Sunspot is designed to check every second for the presence of processes associated with the compilation of the Orion product on the compromised system. If such a process is detected, Sunspot replaces a single source code file to include the Sunburst backdoor.
Specifically, Sunspot looks for the MsBuild.exe process, which is associated with Microsoft Visual Studio development tools. If the process is detected, it attempts to determine if it’s being used to build Orion software.
“When SUNSPOT finds the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built,” CrowdStrike explained. “While SUNSPOT supports replacing multiple files, the identified copy only replaces InventoryManager.cs.”
CrowdStrike said the attackers sanitized the Sunburst source code and took other steps to increase their chances of avoiding detection by SolarWinds.
“The malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are protected using the same key and initialization vector,” the company explained. “As causing build errors would very likely prompt troubleshooting actions from the Orion developers and lead to the adversary’s discovery, the SUNSPOT developers included a hash verification check, likely to ensure the injected backdoored code is compatible with a known source file, and also avoid replacing the file with garbage data from a failed decryption.”
After the SolarWinds breach came to light, many have been wondering exactly who was behind the attack. The U.S. government said it was likely Russia and some reports claimed it may have been the Russia-linked threat group known as APT29 and Cozy Bear. However, CrowdStrike says it currently does not attribute any of the malware used in the SolarWinds attack to a known threat actor, and it has decided to track the campaign as an activity cluster named StellarParticle.
CrowdStrike has made available indicators of compromise (IoC) and information on the tactics, techniques and procedures (TTP) associated with the Sunspot activity.
Also on Monday, Kaspersky reported finding some links between the Sunburst malware, including similarities in code and development choices, and Kazuar, a .NET backdoor that has been around since at least 2015 and which has been attributed to the Russian cyberspy group Turla. However, Kaspersky says it’s unclear if Kazuar and Sunburst have been developed by the same group.