Internals of SunBurst Malware.

SolarWinds Hacks to Analysis of SunBurst Malware.

In 2020, recently the hacks of SolarWinds Orion were become the worst chain of attack vectors which was attributed to Russian Foreign Intelligence Unit APT29 responsible for carrying out the hacks in which what they does is that they had found the vulnerability in the SolarWinds products where they had patched the software of SolarWinds with the fake update that contains logic bomb in it and that logic bomb had been then further employed to task for the covertly conduct the espionage across networks across the U.S. Federal systems and different U.S. based organizations.

Analysis of SunBurst Malware

Hash’s & File Information

For the further static analysis i had deployed the dnSpy which is the de-compiler and debugger for the .Net related malwares and binaries.

Logic Bomb with backdoor

As for the purpose of starting up the analysis in dnSpy , i had searched for the
RefereshInternal where the Initialization of the sketchy exploitation using the logic bomb present in the SolarWinds Orion software is been placed as the logic bomb.

RefreshInternal Function.

In the image above , you can easily observe that the RefreshInternal is the function inside the class called InventoryManager.

Here in below the Initialization class “the entry point” of the SolarWinds logic bomb is being inserted into the SolarWinds software.

In the beginning of this class the encoded hash is being fetched which is “17291806236368054941UL” which on decoding is as “solarinds.bussinesslayerhost.exe”.

In further going through this class it can observed that the logic bomb does the conditional check of current time of WriteTime with the last Write time of writing the logic bomb in the SolarWind Orion monitoring software.

Initialization class.

This logic bomb mentioned here is the SolarWind signed plugin of the Orion Software that consists of the backdoor that is being highly obfuscated and it hooks up in the SolarWind activity Orion Improvement during this backdoor in SolarWind execution the connects back to the several malicious domains across the network which is generally known as the Command and Control Server (C2).

As the backdoor IP configurations are being configured with Domain Names before its further execution and as it gets satisfied then after that UserID is produced after the computation of MD5 hash for the Mac Address of Network Interface. GetOrCreateUserID is the private class in which these hashes
are generated for further triage.

Coming back to the class “SolarWind.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer”
function Initialize in which the UserID is being generated and if after the “if” conditional check satisfied then after Configuration of the running services with there associated name is being extracted and parsed for stopping those services by going through the differ conditional check.

Registry Key Created

Registry Key Deleted

Process Created During Infection

Indicators of Compromise (IOCs) & Detection’s

224[.]0[.]0[.]22

Att&ck ID:

T1497
T1116
T1179

Hooking for Persistence Mechanism.
Hooking for Privilege Escalation.
Coding Signing using Legit Certificate for evading the defense.
Possible use of Anti-VM techniques.
Hooking for Credential Access.
For Evading its discovery use of Anti-VM Techniques.

Sunburst:
MD5: 3d81dcea99b27462d100414917
SHA1: 395da6d4f3c890295f7584132ea73d759bd9d094
SHA256: 0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589

Yara signature for detection of Sunburst Malware.

References

From CISA:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a

From Fireeye:
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-
leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html

From TheHackerNews:
https://thehackernews.com/2021/01/researchers-find-links-between-
sunburst.html

From ZDNet:
https://www.zdnet.com/article/fourth-malware-strain-discovered-in-
solarwinds-incident/
https://www.zdnet.com/article/cisa-updates-solarwinds-guidance-tells-us-
govt-agencies-to-update-right-away/

From BleepingComputer:
https://www.bleepingcomputer.com/news/security/sunburst-backdoor-shares-features-with-russian-apt-malware/

https://www.bleepingcomputer.com/news/security/solarwinds-victims-
revealed-after-cracking-the-sunburst-malware-dga/

From Blog Rapid7:
https://blog.rapid7.com/2020/12/14/solarwinds-sunburst-backdoor-supply-
chain-attack-what-you-need-to-know/

Thankyou for reading.

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.