Sunburst Solarwinds Backdoor

 

Technical analysis of SUNBURST SolarWinds Backdoor

Sunburst Solarwinds Backdoor
Sunburst Solarwinds Backdoor


Identification

Vendor

Detection

TrendMicro

Backdoor.MSIL.SUNBURST.A

Microsoft

Trojan:MSIL/Solorigate.BR!dha

Kaspersky

HEUR:Backdoor.MSIL.SunBurst.gen

 

The following table contains a list of artifacts that had been analyzed within this document.


PE timestamp

MD5

Size in bytes

File name

Description

2020/05/11 Mon 21:32:40 UTC

846E27A652A5E1BFBD0DDD38A16DC865

1003.98 KB (1028072 bytes)

SolarWinds.Orion.Core.BusinessLayer-SUNBURST.dll

Main payload

 

Interesting

The most interesting for me is signature of file, file is signed but it contains a backdoor as shown in figure below.


Sunburst Solarwinds
Sunburst Solarwinds


Summary

Sunburst has been widespread across organizations in a supply-chain attack. Backdoor. Sunburst uses multiple obfuscated blacklists to identify security and antivirus tools running as processes, services, and drivers. It stores this information for later stages of an attack.

Technical details

It gets the current process name then gets the hash of the process then convert name of process to lowercase and compare hash with value called 17291806236368054941UL as shown in figure below.


Sunburst Solarwinds
Sunburst Solarwinds


It gets a hash of a lower process using an algorithm called FNV-1a 64 bit as shown in figure below and do XOR result with value called 6605813339339102567UL.


Sunburst Solarwinds
Sunburst Solarwinds


So if you reverse the algorithm you will figure out that the value 17291806236368054941UL will represent the process name called solarwinds.businesslayerhost.

 

It gets a random number from 288 to 336, that means malware will run from 12 to 14 days once it finds the process name called solarwinds.businesslayerhost as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds

The malware is really obfuscated, so I tried to DE obfuscate as much as possible.


Configuration of network 

It gets network configuration as shown in figure below when executed some command like.


Sunburst Solarwinds
Sunburst Solarwinds


Commands

  • Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true.
  • Description.
  • MACAddress.
  • DHCPEnabled.
  • DHCPServer.
  • DNSHostName.
  • DNSDomainSuffixSearchOrder.
  • DNSServerSearchOrder.
  • IPAddress.
  • IPSubnet.
  • DefaultIPGateway.
It gets operating system version as shown in figure below with following commands below.

  • Select * From Win32_OperatingSystem.
  • Caption.
  • OSArchitecture.
  • InstallDate.
  • Organization.
  • RegisteredUser.
  • Version.


If it can’t get the operating system version it will cause an exception called “[E] {0} {1} {2}” as shown in figure below.


Sunburst Solarwinds
Sunburst Solarwinds


It gets user id when it access registry path called HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography  specially value called MachineGuid  then gets MD5 of machine GUID as shown in figure below.


Sunburst Solarwinds
Sunburst Solarwinds

Sunburst Solarwinds
Sunburst Solarwinds

It gets a hash of current processes using an algorithm called FNV-1a 64 bit as shown in figure below, if it finds one of these processes already running, then malware exits.

Sunburst Solarwinds
Sunburst Solarwinds

 


Hash

Process name

2597124982561782591UL

apimonitor-x64

2600364143812063535UL

apimonitor-x86

13464308873961738403UL

autopsy64

4821863173800309721UL

autopsy

12969190449276002545UL

autoruns64

3320026265773918739UL

autoruns

12094027092655598256UL

autorunsc64

10657751674541025650UL

autorunsc

11913842725949116895UL

binaryninja

5449730069165757263UL

blacklight

292198192373389586UL

cff explorer

12790084614253405985UL

cutter

5219431737322569038UL

de4dot

15535773470978271326UL

debugview

7810436520414958497UL

diskmon

13316211011159594063UL

dnsd

13825071784440082496UL

dnspy

14480775929210717493UL

dotpeek32

14482658293117931546UL

dotpeek64

8473756179280619170UL

dumpcap

3778500091710709090UL

evidence center

8799118153397725683UL

exeinfope

12027963942392743532UL

fakedns

576626207276463000UL

fakenet

7412338704062093516UL

ffdec

682250828679635420UL

fiddler

13014156621614176974UL

fileinsight

18150909006539876521UL

floss

10336842116636872171UL

gdb

12785322942775634499UL

hiew32demo

13260224381505715848UL

hiew32

17956969551821596225UL

hollows_hunter

8709004393777297355UL

idaq64

14256853800858727521UL

idaq

8129411991672431889UL

idr

15997665423159927228UL

ildasm

10829648878147112121UL

ilspy

9149947745824492274UL

jd-gui

3656637464651387014UL

lordpe

3575761800716667678UL

officemalscanner

4501656691368064027UL

ollydbg

10296494671777307979UL

pdfstreamdumper

14630721578341374856UL

pe-bear

4088976323439621041UL

pebrowse64

9531326785919727076UL

peid

6461429591783621719UL

pe-sieve32

6508141243778577344UL

pe-sieve64

10235971842993272939UL

pestudio

2478231962306073784UL

peview

9903758755917170407UL

pexplorer

14710585101020280896UL

ppee

13611814135072561278UL

procdump64

2810460305047003196UL

procdump

2032008861530788751UL

processhacker

27407921587843457UL

procexp64

6491986958834001955UL

procexp

2128122064571842954UL

procmon

10484659978517092504UL

prodiscoverbasic

8478833628889826985UL

py2exedecompiler

10463926208560207521UL

r2agent

7080175711202577138UL

rabin2

8697424601205169055UL

radare2

7775177810774851294UL

ramcapture64

16130138450758310172UL

ramcapture

506634811745884560UL

reflector

18294908219222222902UL

regmon

3588624367609827560UL

resourcehacker

9555688264681862794UL

retdec-ar-extractor

5415426428750045503UL

retdec-bin2llvmir

3642525650883269872UL

retdec-bin2pat

13135068273077306806UL

retdec-config

3769837838875367802UL

retdec-fileinfo

191060519014405309UL

retdec-getsig

1682585410644922036UL

retdec-idr2pat

7878537243757499832UL

retdec-llvmir2hll

13799353263187722717UL

retdec-macho-extractor

1367627386496056834UL

retdec-pat2yara

12574535824074203265UL

retdec-stacofin

16990567851129491937UL

retdec-unpacker

8994091295115840290UL

retdec-yarac

13876356431472225791UL

rundotnetdll

14968320160131875803UL

sbiesvc

14868920869169964081UL

scdbg

106672141413120087UL

scylla_x64

79089792725215063UL

scylla_x86

5614586596107908838UL

shellcode_launcher

3869935012404164040UL

solarwindsdiagnostics

3538022140597504361UL

sysmon64

14111374107076822891UL

sysmon

7982848972385914508UL

task explorer

8760312338504300643UL

task explorer-x64

17351543633914244545UL

tcpdump

7516148236133302073UL

tcpvcon

15114163911481793350UL

tcpview

15457732070353984570UL

vboxservice

16292685861617888592UL

win32_remote

10374841591685794123UL

win64_remotex64

3045986759481489935UL

windbg

17109238199226571972UL

windump

6827032273910657891UL

winhex64

5945487981219695001UL

winhex

 

 

8052533790968282297UL

winobj

17574002783607647274UL

wireshark

3341747963119755850UL

x32dbg

14193859431895170587UL

x64dbg

17439059603042731363UL

xwforensics64

17683972236092287897UL

xwforensics

700598796416086955UL

redcloak

3660705254426876796UL

avgsvc

12709986806548166638UL

avgui

3890794756780010537UL

avgsvca

2797129108883749491UL

avgidsagent

3890769468012566366UL

avgsvcx

14095938998438966337UL

avgwdsvcx

11109294216876344399UL

avgadminclientservice

1368907909245890092UL

afwserv

11818825521849580123UL

avastui

8146185202538899243UL

avastsvc

2934149816356927366UL

aswidsagent

13029357933491444455UL

aswidsagenta

6195833633417633900UL

aswengsrv

2760663353550280147UL

avastavwrapper

16423314183614230717UL

bccavsvc

2532538262737333146UL

psanhost

4454255944391929578UL

psuaservice

6088115528707848728UL

psuamain

13611051401579634621UL

avp

18147627057830191163UL

avpui

17633734304611248415UL

ksde

13581776705111912829UL

ksdeui

7175363135479931834UL

tanium

3178468437029279937UL

taniumclient

13599785766252827703UL

taniumdetectengine

6180361713414290679UL

taniumendpointindex

8612208440357175863UL

taniumtracecli

8408095252303317471UL

taniumtracewebsocketclient64


  

Attacker repeated checking for a process called ppee 2 times.


Configurations search

It gets Path Name of system driver using sql command Select * From Win32_SystemDriver. It searches for specific services as shown in figure below.



 

Hash

Services name

17097380490166623672UL

cybkerneltracker.sys

15194901817027173566UL

atrsdfw.sys

12718416789200275332UL

eaw.sys

18392881921099771407UL

rvsavd.sys

3626142665768487764UL

dgdmk.sys

12343334044036541897UL

sentinelmonitor.sys

397780960855462669UL

hexisfsmonitor.sys

6943102301517884811UL

groundling32.sys

13544031715334011032UL

groundling64.sys

11801746708619571308UL

safe-agent.sys

18159703063075866524UL

crexecprev.sys

835151375515278827UL

psepfilter.sys

16570804352575357627UL

cve.sys

1614465773938842903UL

brfilter.sys

12679195163651834776UL

brcow_x_x_x_x.sys

2717025511528702475UL

lragentmf.sys

17984632978012874803UL

libwamf.sys

 

Configuration of services

It access registry path SYSTEM\CurrentControlSet\services then gets a value name called start and searches for configuration of services as shown in figure below.



 

Hash

Service name

5183687599225757871UL

msmpeng

917638920165491138UL

windefend

10063651499895178962UL

mssense

16335643316870329598UL

sense

10501212300031893463UL

microsoft.tri.sensor

155978580751494388UL

microsoft.tri.sensor.updater

17204844226884380288UL

cavp

5984963105389676759UL

cb

11385275378891906608UL

carbonblack

13693525876560827283UL

carbonblackk

17849680105131524334UL

cbcomms

18246404330670877335UL

cbstream

8698326794961817906UL

csfalconservice

9061219083560670602UL

csfalconcontainer

11771945869106552231UL

csagent

9234894663364701749UL

csdevicecontrol

8698326794961817906UL

csfalconservice

15695338751700748390UL

xagt

640589622539783622UL

xagtnotif

15695338751700748390UL

xagt

9384605490088500348UL

fe_avk

6274014997237900919UL

fekern

15092207615430402812UL

feelam

3320767229281015341UL

fewscservice

3200333496547938354UL

ekrn

14513577387099045298UL

eguiproxy

607197993339007484UL

egui

15587050164583443069UL

eamonm

9559632696372799208UL

eelam

4931721628717906635UL

ehdrv

3200333496547938354UL

ekrn

2589926981877829912UL

ekrnepfw

17997967489723066537UL

epfwwfp

14079676299181301772UL

ekbdflt

17939405613729073960UL

epfw

521157249538507889UL

fsgk32st

14971809093655817917UL

fswebuid

10545868833523019926UL

fsgk32

15039834196857999838UL

fsma32

14055243717250701608UL

fssm32

5587557070429522647UL

fnrb32

12445177985737237804UL

fsaua

17978774977754553159UL

fsorsp

17017923349298346219UL

fsav32

17624147599670377042UL

f-secure gatekeeper handler starter

16066651430762394116UL

f-secure network request broker

13655261125244647696UL

f-secure webui daemon

12445177985737237804UL

fsaua

3421213182954201407UL

fsma

14243671177281069512UL

fsorspclient

16112751343173365533UL

f-secure gatekeeper

3425260965299690882UL

f-secure hips

9333057603143916814UL

fsbts

3413886037471417852UL

fsni

7315838824213522000UL

fsvista

13783346438774742614UL

f-secure filter

2380224015317016190UL

f-secure recognizer

3413052607651207697UL

fses

3407972863931386250UL

fsfw

10393903804869831898UL

fsdfw

12445232961318634374UL

fsaus

3421197789791424393UL

fsms

541172992193764396UL

fsdevcon


interesting subnets

It makes depolymerization of IP addresses so malware receives a DNS A record response pointing to one of these subnets as shown in figure below.


Sunburst Solarwinds
Sunburst Solarwinds


 

 

Encoded ip

Decoded ip

MzTQA0MA

10.0.0.0

MzI11TMAQQA

255.0.0.0

MzQ30jM00zPQMwAA

172.16.0.0

MzI11TMyMdADQgA

255.240.0.0

M7Q00jM0s9Az0DMAAA

192.168.0.0

MzI11TMCYgM9AwA

255.255.0.0

MzIy0TMAQQA

224.0.0.0

MzIx0ANDAA

240.0.0.0

S0s2MLCyAgA

fc00::

S0s1MLCyAgA

fc00::

S0tNNrCyAgA

fec0::

S0szMLCyAgA

ff00::

S0szMLCyAgA

ff00::

MzHUszDRMzS11DMAAA

41.84.159.0

MzI11TOCYgMA

255.255.255.0

MzfRMzQ00TMy0TMAAA

74.114.24.0

MzI11TMCYRMLPQMA

255.255.248.0

MzQ10TM0tNAzNDHQMwAA

154.118.140.0

MzI11TOCYgMA

255.255.255.0

MzI01zM0M9Yz1zMAAA

217.163.7.0

MzI11TOCYgMA

255.255.255.0

MzLQMzQx0ANCAA

20.140.0.0

MzI11TMyNdEz0DMAAA

255.254.0.0

szTTMzbUMzQ30jMAAA

96.31.172.0

MzI11TOCYgMA

255.255.255.0

MzQ21DMystAzNNIzAAA

131.228.12.0

MzI11TMCYyM9AwA

255.255.252.0

MzQx0bMw0zMyMtMzAAA

144.86.226.0

MzI11TOCYgMA

255.255.255.0

s9AztNAzNDHRMwAA

8.18.144.0

MzI11TMCYxM9AwA

255.255.254.0

M7TQMzQ20ANCAA

18.130.0.0

MzI11TMCYgM9AwA

255.255.0.0

MzfUMzQ10jM11jMAAA

71.152.53.0

MzI11TOCYgMA

255.255.255.0

s7TUM7fUM9AzAAA

99.79.0.0

MzI11TMCYgM9AwA

255.255.0.0

szDXMzK20LMw0DMAAA

87.238.80.0

MzI11TMCYRMLPQMA

255.255.248.0

M7S01DMyMNQzNDTXMwAA

199.201.117.0

MzI11TOCYgMA

255.255.255.0

M7Qw0TM30jPQMwAA

184.72.0.0

MzI11TMyNdEz0DMAAA

255.254.0.0

Pattern search

It checks for these domains in active directory as shown in figure and table below.

Sunburst Solarwinds
Sunburst Solarwinds


 

Pattern Hash

Decoded Of Pattern

1109067043404435916UL

swdev.local

15267980678929160412UL

swdev.dmz

8381292265993977266UL

lab.local

3796405623695665524UL

lab.na

8727477769544302060UL

emea.sales

10734127004244879770UL

cork.lab

11073283311104541690UL

dev.local

4030236413975199654UL

dmz.local

7701683279824397773UL

pci.local

5132256620104998637UL

saas.swi

5942282052525294911UL

lab.rio

4578480846255629462UL

lab.brno

16858955978146406642UL

apac.lab

It assigns pattern list, which seems to be regular expression as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded Regex

Decoded Of Regex

07DP1NSIjkvUrYqtidPUKEktLoHzVTQB

(?i)([^a-z]|^)(test)([^a-z]|$)

07DP1NQozs9JLCrPzEsp1gQA

(?i)(solarwinds)



Configuration manger

It reads configurations manger then applied 3 switch cases

  • Truncate
  • New
  • Append

As shown in figure below.


Sunburst Solarwinds
Sunburst Solarwinds

 

 

Encoded Report Status

Decoded Report Status

C0otyC8qCU8sSc5ILQpKLSmqBAA

ReportWatcherRetry

 

It reads services status as shown in figure below.


Sunburst Solarwinds
Sunburst Solarwinds


 

Encoded Service Status

Decoded Service Status

C0otyC8qCU8sSc5ILQrILy4pyM9LBQA

ReportWatcherPostpone


Check for server connection

It checks for connection of Solarwinds server as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds


 

Encoded Host

Decoded Host

SyzI1CvOz0ksKs/MSynWS87PBQA

api.solarwinds.com



Domain Generation Algorithm(DGA)

It gets the status of these domains as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded Domain

Decoded Domain

SywrLstNzskvTdFLzs8FAA

avsvmcloud.com

SywoKK7MS9ZNLMgEAA

appsync-api

Sy3VLU8tLtE1BAA

eu-west-1

Ky3WLU8tLtE1AgA

us-west-2

Ky3WTU0sLtE1BAA

us-east-1

Ky3WTU0sLtE1AgA

us-east-2


So Final DGA will be one of these.

  1. appsync-api.eu-west-1[.]avsvmcloud[.]com.
  1. appsync-api.us-west-2[.]avsvmcloud[.]com.
  1. appsync-api.us-east-1[.]avsvmcloud[.]com.
  1. appsync-api.us-east-2[.]avsvmcloud[.]com.


It initializes new pipe id as shown in figure below.

 

Encoded Pipe ID

M7UwTkm0NDHVNTNKTNM1NEi10DWxNDDSTbRIMzIwTTY3SjJKBQA

Decoded Pipe ID

583da945-62af-10e8-4902-a8f205c72b2e

 

Information gathering

It gets information from registry like all users, current configuration, local machine etc as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded Registry path

Decoded Registry path

8/B2jYx39nEMDnYNjg/y9w8BAA

HKEY_CLASSES_ROOT

8/B2DgIA

HKCR

8/B2jYx3Dg0KcvULiQ8Ndg0CAA

HKEY_CURRENT_USER

8/B2DgUA

HKCU

8/B2jYz38Xd29In3dXT28PRzBQA

HKEY_LOCAL_MACHINE

8/D28QUA

HKLM

8/B2jYwPDXYNCgYA

HKEY_USERS

8/AOBQA

HKU

8/B2jYx3Dg0KcvULiXf293PzdAcA

HKEY_CURRENT_CONFIG

8/B2dgYA

HKCC

8/B2jYwPcA1y8/d19HN2jXdxDHEEAA

HKEY_PERFOMANCE_DATA

8/AOcAEA

HKPD

8/B2jYx3ifSLd3EMcQQA

HKEY_DYN_DATA

8/B2cQEA

HKDD


Get Sid of current account

It gets the security identifier of the current user as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded value

Decoded value

C9Y11DXVBQA

S-1-5-

0zU1MAAA

-500

c0zJzczLLC4pSizJLwIA

Administrator

C07NSU0uUdBScCvKz1UIz8wzNooPLU4tckxOzi/NKwEA

Select * From Win32_UserAccount

C/Z0AQA

SID

88lPTsxxTE7OL80rAQA

LocalAccount

KykqTQUA

true


Privilege

It sets privilege as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded Privilege

Decoded Privilege

C04NSi0uyS9KDSjKLMvMSU1PBQA

SeRestorePrivilege

C04NScxO9S/PSy0qzsgsCCjKLMvMSU1PBQA

SeTakeOwnershipPrivilege


Set permission

It sets the current file to system permission as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds
 

Encoded Value

Decoded Value

C44MDnH1BQA

SYSTEM



Information gathering of current processes

It gets information about current processes as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded Value

Decoded Value

i6420DGtjVWoNqzlAgA

[{0,5}] {1}

C07NSU0uUdBScCvKz1UIz8wzNooPKMpPTi0uBgA

Select * From Win32_Process

c08t8S/PSy0CAA

GetOwner

i6420DGtjVWoNtTRNTSrVag2quWsNgYKKVSb1MZUm9ZyAQA

[{0,5}] {1,-16} {2}            {3,5} {4}\{5}

CyjKT04tLvZ0AQA

ProcessID

80vMTQUA

Name

C0gsSs0rCSjKT04tLvZ0AQA

ParentProcessID


Gathering information of administrator of domain

It gathers information about the current administrator of the domain like hostname, account domain id, username, operating system version etc... As shown in figure below.


Sunburst Solarwinds
Sunburst Solarwinds

Http Request

Before malware does http request, it resolves some important hashes with multiple checks as shown in figure below.



 

Encoded Value

Decoded Value

8873858923435176895UL

expect

6116246686670134098UL

content-type

2734787258623754862UL

accept

6116246686670134098UL

content-type

7574774749059321801UL

user-agent

8873858923435176895UL

expect

1475579823244607677UL

100-continue

11266044540366291518UL

connection

9007106680104765185UL

referer

11266044540366291518UL

connection

13852439084267373191UL

keep-alive

14226582801651130532UL

close

15514036435533858158UL

if-modified-since

16066522799090129502UL

date

qzaoVag2rFXwCAkJ0K82quUCAA

{0} {1} HTTP/{2}



Information stealer

It steals credentials of current users as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds


Parse service response

It uses http helper to define commands for executing engine function as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded Value

U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA

Decoded Value

"\{[0-9a-f-]{36}\}"|"[0-9a-f]{32}"|"[0-9a-f]{16}"



Http status code

It resolves important parameters when doing http request as shown in figure below.

Sunburst Solarwinds
Sunburst Solarwinds


 

 

Encoded Value

Decoded Value

80zT9cvPS9X1TSxJzgAA

If-None-Match

UyotTi3yTFGyUqo2qFXSAQA

"userId":"{0}",

UypOLS7OzM/zTFGyUqo2qFXSAQA

"sessionId":"{0}",

UyouSS0oVrKKBgA

"steps":[

UwrJzE0tLknMLVCyUorRd0ksSdWoNqjVjNFX0gEA

"Timestamp":"\/Date({0})\/",

U/LMS0mtULKqNqjVAQA=

"Index":{0},

U3ItS80rCaksSFWyUvIvyszPU9IBAA

"EventType":"Orion",

U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA

"EventName":"EventManager",

U3IpLUosyczP8y1Wsqo2qNUBAA

"DurationMs":{0},

UwouTU5OTU1JTVGyKikqTdUBAA

"Succeeded":true,

U/JNLS5OTE9VslKqNqhVAgA

"Message":"{0}"

SywoyMlMTizJzM/TzyrOzwMA

application/json

SywoyMlMTizJzM/Tz08uSS3RLS4pSk3MBQA

application/octet-stream



Base Uri implementation

It resolves important strings as shown in figure and table below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded Value

Decoded Value

0y3Kzy8BAA

-root

001OLSoBAA

-cert

0y3NyyxLLSpOzIlPTgQA

-universal_ca

001OBAA

-ca

0y0oysxNLKqMT04EAA

-primary_ca

0y3JzE0tLknMLQAA

-timestamp

003PyU9KzAEA

-global

0y1OTS4tSk1OBAA

-secureca

K8jO1E8uytGvNqitNqytNqrVA/IA

pki/crl/{0}{1}{2}.crl

c8rPSQEA

Bold

c8rPSfEsSczJTAYA

BoldItalic

c60oKUp0ys9JAQA

ExtraBold

c60oKUp0ys9J8SxJzMlMBgA

ExtraBoldItalic

8yxJzMlMBgA

Italic

88lMzygBAA

Light

88lMzyjxLEnMyUwGAA

LightItalic

C0pNL81JLAIA

Regular

C07NzXTKz0kBAA

SemiBold

C07NzXTKz0nxLEnMyUwGAA

SemiBoldItalic

yy9IzStOzCsGAA

opensans

y8svyQcA

noto

SytKTU3LzysBAA

freefont

C84vLUpOdc5PSQ0oygcA

SourceCodePro

C84vLUpODU4tykwLKMoHAA

SourceSerifPro

C84vLUpO9UjMC07MKwYA

SourceHanSans

C84vLUpO9UjMC04tykwDAA

SourceHanSerif

S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA

fonts/woff/{0}-{1}-{2}-webfont{3}.woff2

S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA

fonts/woff/{0}-{1}-{2}{3}.woff2

C87PSSwKz8xLKQYA

SolarWinds

03POLypJrQjIKU3PzAMA

.CortexPlugin

0/MvyszPAwA

.Orion

C88sSs1JLS4GAA

Wireless

C/UEAA

UI

C89MSU8tKQYA

Widgets

8wvwBQA

NPM

cyzIz8nJBwA

Apollo

c87JL03xzc/LLMkvysxLBwA

CloudMonitoring

88tPSS0GAA

Nodes

C8vPKc1NLQYA

Volumes

88wrSS1KS0xOLQYA

Interfaces

c87PLcjPS80rKQYA

Components

Ky7PLNAvLUjRBwA

swip/upd/

06vIzQEA

.xml

Ky7PLNAPLcjJT0zRSyzOqAAA

swip/Upload.ashx

Ky7PLNB3LUvNKykGAA

swip/Events




User Agent

Malware resolves important parameters when it gets a user agent as shown in figure and table below.

Sunburst Solarwinds
Sunburst Solarwinds

 

Encoded Value

Decoded Value

881MLsovzk8r0XUuqiwoyXcM8NQHAA

Microsoft-CryptoAPI/

C87PSSwKz8xLKfYvyszP88wtKMovS81NzStxzskEkvoA

SolarWindsOrionImprovementClient/

i/EvyszP88wtKMovS81NzSuJCc7PSSwKz8xLKdZDl9NLrUgFAA

\OrionImprovement\SolarWinds.OrionImprovement.exe

M9YzAEJjCyMA

3.0.0.382


Key of base 64

Encoding key embedded in sample shown in figure and table below in table.

Sunburst Solarwinds


 

 

Encoded value

Kyo0Ti9OzCkxKzXMrEyryi8wNTdKMbFMyquwSC7LzU4tz8gCAA

Decoded Value

rq3gsalt6u1iyfzop572d49bnx8cvmkewhj

 

Encoded value

M4jX1QMA

Decoded Value

0_-.

 


Base64 Decode key

Decoding key embedded in sample shown in figure and table below in table.

Sunburst Solarwinds
Sunburst Solarwinds


Encoded value

K8gwSs1MyzfOMy0tSTfMskixNCksKkvKzTYoTswxN0sGAA

Decoded Value

ph2eifo3n5utg1j8d94qrvbmk0sal76c



Decryption function for domain

Attacker uses the key below as shown in figure and table for decryption domain.


Sunburst Solarwinds
Sunburst Solarwinds


 

Encoded value

MzA0MjYxNTO3sExMSk5JTUvPyMzKzsnNyy8oLCouKS0rr6is0o3XAwA

Decoded Value

0123456789abcdefghijklmnopqrstuvwxyz-_.

 


Shutdown computer

Malware has the ability to shutdown current machine as shown in figure below.

Sunburst Solarwinds

Encoded value

C04NzigtSckvzwsoyizLzElNTwUA

Decoded Value

SeShutdownPrivilege


Yara Rule

/*

  Yara Rule Set

  Author: Mahmoud Elmenshawy

  Date:2019-05-1

  Identifier: SolarWinds Sunburst Backdoor

*/

rule  Sunburst_Backdoor {

     meta:

                      Author = "Mahmoud Elmenshawy"

                                  Description = " Sunburst Backdoor Rule "

                                  Sha256 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6"

                strings:

                      $Encoded_Regx_Value = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" //

                                  $Event_type = "U3ItS80rCaksSFWyUvIvyszPU9IBAA"

                                  $x3 = "C88sSs1JLS4GAA"

                                  $x4 = "003PyU9KzAEA"

                                  $x5 = "K8jO1E8uytGvNqitNqytNqrVA/IA"

                                  $x6 = "SywrLstNzskvTdFLzs8FAA"

                                  $x7 = "C84vLUpO9UjMC04tykwDAA"

                                  $x8 = "cyzIz8nJBwA"

                                  $x9 = "003PyU9KzAEA"

                                 $x10 = "C84vLUpOdc5PSQ0oygcA

                                 $x11 = "M9YzAEJjCyMA"

                                 $x12 = "07DP1NSIjkvUrYqtidPUKEktLoHzVTQB"

                                 

                condition:

                all of them

               

                }

                               

References

  • https://www.techradar.com/news/microsoft-has-discovered-yet-more-malware-affecting-solarwinds-orion.
  • https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html.


 

If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA

 

Malware analyst : Mahmoud El Menshawy.
Contact Me : mahmoudmorsy372@gmail.com.









Comments

Popular posts from this blog

Phishing Attacks 9_4_2021

Conti Ransomware