SUNBURST: The backdoor present in SolarWinds Orion updates


On December 8th, FireEye announced that it had suffered an attack in which the company's proprietary Red Team tools were exposed. In response, they published IOCs that allow the use of the tools to be identified.

Introduction

Shortly after, they reported back to the community about an attack in which SolarWinds software was compromised. Specifically, the problem lies in the updates to the legitimate SolarWinds Orion software for versions 2019.4 to 2020.2.1. FireEye reported that it had discovered a trojan in the software that enables malware to be distributed, which they have named SUNBURST. Microsoft, for its part, has named the malware Solorigate. The malware installs a backdoor that allows communication to be established with a C2 server, in addition to executing commands.

 

SUNBURST Backdoor

The backdoor is found in SolarWinds.Orion.Core.BusinessLayer.dll, which is actually a SolarWinds digitally-signed component, thus constituting a supply chain attack. The malware is installed as part of the legitimate software's update routine.

sunburst-malware-backdoor-01

Update package containing SolarWinds.Orion.Core.BusinessLayer.dll, query made: December 14, 2020

This backdoor remains inactive for 12 to 14 days before trying to connect to the C2 server, connecting to the avsvmcloud[.]com domain. The malware is capable of executing a set of commands that allow it to obtain information about the system configuration, transfer and execute files, restart the computer and disable system services. These commands are grouped as "Jobs".

sunburst-malware-backdoor-02

List of jobs to be executed

Communication with the C2 servers is done through HTTP traffic, disguised with the characteristics of legitimate products, in particular the OIP protocol (Orion Improvement Program). The function in charge of communicating with the C2 is HttpHelper.Initialize.

sunburst-malware-backdoor-03

Part of the HttpHelper.initialize function

Furthermore, the malware is capable of identifying known antivirus and forensic tools as part of its way of operating.

As part of their report, investigators have pointed out that in some samples the attackers use a dropper that is governed by a new way of operating. The dropper has been named TEARDROP by FireEye and one of its noteworthy features is the fact that it runs as a service, it creates a thread and reads from the file “gracious_truth.jpg” that contains a false header. The dropper decodes the payload using a custom rolling XOR algorithm and loads another embedded payload into memory using a custom PE format. One of the hypotheses is that its main purpose is to execute a modified version of beacon for CobaltStrike.

 

Detection and Kill Switch

The affected versions of SolarWinds Orion correspond to those published between March and June of 2020 (from 2019.4 HF5 to 2020.2.1). Both FireEye and other companies have shared detection rules for this malware. In the case of FireEye, they can be found on the GitHub page. On the other hand, Volexity associated this attack with the Dark Halo group and provided information regarding the set of commands executed by the attackers.

sunburst-malware-backdoor-04

YARA rules for the detection of the TEARDROP dropper (https://github.com/fireeye/sunburst_countermeasures/blob/main/all-yara.yar)

sunburst-malware-backdoor-05

Description of detection rules for one of the samples available on VirusTotal

 

On the other hand, Microsoft, FireEye and GoDaddy collaborated to create a kill switch for the backdoor after taking over the domain used by the malware to contact the C2 (avsvmcloud[.]com). The kill switch is based on domain resolution. Under GoDaddy's control, any subdomain will resolve to IP 20.140.0.1, which, being within the range of IPs blocked by the malware (20.140.0.0/15), will cause the malware to terminate and stop it from running again. However, this kill switch for the SOLORIGATE backdoor does not prevent the malware from using additional persistence mechanisms.

 

Conclusions

The supply chain attack on SolarWinds software is proof that maintaining an active monitoring system over running systems and processes is critical. This malware waits about two weeks to become active, enough time for the updates to be installed on the system and to try to hide its operations. Its camouflage is based on the tool that hosts it, which is seen as reliable by the system, meaning monitoring systems could fail to notice the traffic for quite some time.

Although this malware's impact is only beginning to be discovered just now, its preparation has taken much longer. It is also worth noting that SolarWinds reported that around 33,000 customers were affected, although only 18,000 were using a trojanized version of their software. This points to another problem derived from this type of attack, which is precisely how the damage can go beyond the affected infrastructure, spreading to our trusted network.

Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.

MALWARE PROTECTION AND ALERTING

MALWARE PROTECTION AND ALERTING

buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.

LEARN HOW BUGUROO SOLVE IT

Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

DID YOU LIKE IT? SHARE IN YOUR SOCIAL COMMUNITIES.