Internals of SunBurst Malware.
SolarWinds Hacks to Analysis of SunBurst Malware.
In 2020, recently the hacks of SolarWinds Orion were become the worst chain of attack vectors which was attributed to Russian Foreign Intelligence Unit APT29 responsible for carrying out the hacks in which what they does is that they had found the vulnerability in the SolarWinds products where they had patched the software of SolarWinds with the fake update that contains logic bomb in it and that logic bomb had been then further employed to task for the covertly conduct the espionage across networks across the U.S. Federal systems and different U.S. based organizations.
Analysis of SunBurst Malware
Hash’s & File Information
For the further static analysis i had deployed the dnSpy which is the de-compiler and debugger for the .Net related malwares and binaries.
Logic Bomb with backdoor
As for the purpose of starting up the analysis in dnSpy , i had searched for the
RefereshInternal where the Initialization of the sketchy exploitation using the logic bomb present in the SolarWinds Orion software is been placed as the logic bomb.
In the image above , you can easily observe that the RefreshInternal is the function inside the class called InventoryManager.
Here in below the Initialization class “the entry point” of the SolarWinds logic bomb is being inserted into the SolarWinds software.
In the beginning of this class the encoded hash is being fetched which is “17291806236368054941UL” which on decoding is as “solarinds.bussinesslayerhost.exe”.
In further going through this class it can observed that the logic bomb does the conditional check of current time of WriteTime with the last Write time of writing the logic bomb in the SolarWind Orion monitoring software.
This logic bomb mentioned here is the SolarWind signed plugin of the Orion Software that consists of the backdoor that is being highly obfuscated and it hooks up in the SolarWind activity Orion Improvement during this backdoor in SolarWind execution the connects back to the several malicious domains across the network which is generally known as the Command and Control Server (C2).
As the backdoor IP configurations are being configured with Domain Names before its further execution and as it gets satisfied then after that UserID is produced after the computation of MD5 hash for the Mac Address of Network Interface. GetOrCreateUserID is the private class in which these hashes
are generated for further triage.
Coming back to the class “SolarWind.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer”
function Initialize in which the UserID is being generated and if after the “if” conditional check satisfied then after Configuration of the running services with there associated name is being extracted and parsed for stopping those services by going through the differ conditional check.
Registry Key Created
Registry Key Deleted
Process Created During Infection
Indicators of Compromise (IOCs) & Detection’s
Att&ck Mitre Techniques
Hooking for Persistence Mechanism.
Hooking for Privilege Escalation.
Coding Signing using Legit Certificate for evading the defense.
Possible use of Anti-VM techniques.
Hooking for Credential Access.
For Evading its discovery use of Anti-VM Techniques.
Sample from Report
From Blog Rapid7:
Thankyou for reading.