SolarWinds hack investigation reveals new Sunspot malware

2021-01-12 14:09

Crowdstrike researchers have documented Sunspot, a piece of malware used by the SolarWinds attackers to insert the Sunburst malware into the company's Orion software.

SolarWinds has also revealed a new timeline for the incident and the discovery of two customer support incidents that they believe may be related to the Sunburst malware being deployed on customer infrastructure.

He shared an attack timeline, which revealed the source of the Sunburst malicious code injection into SolarWinds' Orion platform: a new strain of malware dubbed Sunspot.

"When Sunspot finds an MsBuild.exe process , it will spawn a new thread to determine if the Orion software is being built and, if so, hijack the build operation to inject Sunburst. The monitoring loop executes every second, allowing Sunspot to modify the target source code before it has been read by the compiler," the researchers explained.

The two pieces of malware use the same algorithm to calculate the time the malware lays dormant until making a new C&C server connection, the same hashing algorithm for string obfuscation, and the same algorithm for generating the unique victim identifiers.

These include the SolarWinds attackers using Kazuar as an inspiration point, both groups getting their malware from the same source, Kauzar developers becoming members of the the group behind the SolarWinds hack and, finally, there's also the possibility that the similarities were introduced on purpose to mislead investigators.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/2TURVtO4H4s/

#hack #investigation #malware #solarwinds

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Solarwinds		56	33	102	74	36	245