SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. A Russian-based threat group UNC2452 leveraged the SolarWinds supply chain to compromise multiple global victims with SUNBURST malware.
Supply Chain Compromise
A technique which has been used to gain initial access to an internal organisation by manipulating a malicious product into an legitimate one, According to ATT&CK Matrix for Enterprise supply chain compromise falls under the tactic of Initial access under the Technique ID: T1195, It generally classified into three sub-techniques
- Compromise Software Dependencies and Development Tools
Manipulating a legitimate software dependence to compromise end users.
Example : The Node.js library called “event-stream,” with nearly two million downloads a week was compromised after the library was injected with malicious code programmed
The malicious code attempted to steal bitcoins stored in the Copay wallets and distributed via NPM in order to reportedly transfer the funds to a server located in Kuala Lumpur
- Compromise Software Supply Chain
Manipulating an malicious application source code to compromise end users
CCleaner had been targeted by cyber-criminals, in order to distribute malware via the CCleaner installation file.
- Compromise Hardware Supply Chain
Manipulating a hardware component to compromise end users or to create malicious backdoor may be difficult to detect.
Group ID: G0118
Associated Groups: Solorigate, StellarParticle, Dark Halo
An highly skilled Russian based State sponsored threat group which familiarly targets government sectors, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.
Supply Chain Attack
SolarWinds.Orion.Core.BusinessLayer.exe → Backdoor Activities
Before execution it has been designed to basically check several entity to verify that it is running in a real victim environment and also to avoid exposing it as the malicious functionality
- Check for malicious DLL is named solarwinds.businesslayerhost.exe
- Check for Wireshark is running
- Check for security-related Softwares
- Check for Domain name
- Check for hashes
- The domain must not SolarWinds
- Domain must not match the regular expression (?i)([^a-z]|^)(test)([^a-z]|$), or in simpler term
Command & Control
After an successful check the backdoor will communicate directly with C2 servers
Communicate with C2 server and send basic information about the compromised system
After successful communication with the C2 server, it will start sending a compressed buffer of data containing commands for the backdoor to execute.
It will allow the attackers to run, stop, and enumerate processes; read, write, and enumerate files and registry keys; collect and upload information about the device.
C:\Windows\system32\cmd.exe /C csrss.exe -h breached.contoso.com -f (name=”Domain Admins”) member -list | csrss.exe -h breached.contoso.com -f objectcategory=* > .\Mod\mod1.log
$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”);$task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done” C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]
Powershell -nop -exec bypass -EncodedCommand
The –EncodedCommand, once decoded, would resemble:
Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION
C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\[malicious .dll file], [various exports]
With Rundll32, each compromised device receives a unique binary hash, unique local filesystem path, pseudo-unique export, and unique C2 domain.
- fc00:: – fe00::
- fec0:: – ffc0::
- ff00:: – ff00::
CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.mspSolarwinds Worldwide, LLCSolarWinds.Orion.Core.BusinessLayer.dllSolarWinds.Orion.Core.BusinessLayer.dllSolarWinds.Orion.Core.BusinessLayer.dllSolarWinds.Orion.Core.BusinessLayer.dllSolarwinds Worldwide, LLCSolarWinds.Orion.Core.BusinessLayer.dllSolarWinds.Orion.Core.BusinessLayer.dllOrionImprovementBusinessLayer.2.csapp_web_logoimagehandler.ashx.b6031896.dll
During this attack three main malware are been reported
Becon is the process where the malware communicates with a C2 server asking for instructions or to exfiltrate collected data on some predetermined asynchronous interval. The C2 server hosts instructions for the malware, which are then executed on the infected machine after the malware checks in.
SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers.
TEARDROP is a malicious 64-bit dynamic-link library (DLL) that decrypts and loads a malicious payload from an embedded code buffer. When executed, the malware attempts to read the first 64-bytes of a file named festive_computer.