Security News > 2020 > December > Killswitch Found for Malware Used in SolarWinds Hack
A killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting IT management and monitoring firm SolarWinds and its customers.
FireEye, which disclosed the attack earlier this month after the threat actor managed to breach its systems and steal some Red Team tools, revealed that the attacker had compromised SolarWinds systems and used its access to deliver a piece of malware named SUNBURST. The malware, which is configured to remain dormant for a certain period after installation, is capable of collecting information about the infected computer, downloading and executing code, creating and deleting files, reading and manipulating registry entries, and rebooting the system.
"Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution," a FireEye spokesperson told SecurityWeek.
"This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST," they added.
SolarWinds confirmed this week that malicious actors hacked the build system for its Orion monitoring product and delivered trojanized updates to customers between March and June 2020.