Security Experts:

Connect with us

Hi, what are you looking for?



‘Sunspot’ Malware Used to Insert Backdoor Into SolarWinds Product in Supply Chain Attack

CrowdStrike, one of the cybersecurity companies called in by IT management firm SolarWinds to investigate the recently disclosed supply chain attack, on Monday shared details about a piece of malware used by the attackers to insert a backdoor into SolarWinds’ Orion product.

CrowdStrike, one of the cybersecurity companies called in by IT management firm SolarWinds to investigate the recently disclosed supply chain attack, on Monday shared details about a piece of malware used by the attackers to insert a backdoor into SolarWinds’ Orion product.

According to CrowdStrike, the threat group behind the attack on SolarWinds used a piece of malware named Sunspot to inject the previously analyzed Sunburst backdoor into the Orion product without being detected.

SolarWinds said the attackers created trojanized Orion updates containing the Sunburst backdoor and delivered them to as many as 18,000 customers. However, it appears that only a few hundred of those customers were of interest to the attackers and received secondary payloads, such as the post-exploitation tool named Teardrop.

An analysis conducted by CrowdStrike revealed that the hackers deployed Sunspot on SolarWinds systems. Sunspot is designed to check every second for the presence of processes associated with the compilation of the Orion product on the compromised system. If such a process is detected, Sunspot replaces a single source code file to include the Sunburst backdoor.

Specifically, Sunspot looks for the MsBuild.exe process, which is associated with Microsoft Visual Studio development tools. If the process is detected, it attempts to determine if it’s being used to build Orion software.

“When SUNSPOT finds the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built,” CrowdStrike explained. “While SUNSPOT supports replacing multiple files, the identified copy only replaces InventoryManager.cs.”

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

CrowdStrike said the attackers sanitized the Sunburst source code and took other steps to increase their chances of avoiding detection by SolarWinds.

“The malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are protected using the same key and initialization vector,” the company explained. “As causing build errors would very likely prompt troubleshooting actions from the Orion developers and lead to the adversary’s discovery, the SUNSPOT developers included a hash verification check, likely to ensure the injected backdoored code is compatible with a known source file, and also avoid replacing the file with garbage data from a failed decryption.”

After the SolarWinds breach came to light, many have been wondering exactly who was behind the attack. The U.S. government said it was likely Russia and some reports claimed it may have been the Russia-linked threat group known as APT29 and Cozy Bear. However, CrowdStrike says it currently does not attribute any of the malware used in the SolarWinds attack to a known threat actor, and it has decided to track the campaign as an activity cluster named StellarParticle.

CrowdStrike has made available indicators of compromise (IoC) and information on the tactics, techniques and procedures (TTP) associated with the Sunspot activity.

Also on Monday, Kaspersky reported finding some links between the Sunburst malware, including similarities in code and development choices, and Kazuar, a .NET backdoor that has been around since at least 2015 and which has been attributed to the Russian cyberspy group Turla. However, Kaspersky says it’s unclear if Kazuar and Sunburst have been developed by the same group.

Related: New Zero-Day, Malware Indicate Second Group May Have Targeted SolarWinds

Related: Investigation Launched Into Role of JetBrains Product in SolarWinds Hack: Reports

Related: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.