This report is about the recently disclosed SunBurst backdoor and the related malware campaign. The malware campaign has been attributed to APT29, a GRU (Main Intelligence Directorate) Russian military cyber unit. The malware is distributed through an advanced supply chain attack designed to compromise both government and non-government entities via SolarWinds Orion, a widely used system monitoring software.
The compromise starts with a hotfix software update to the SolarWinds Orion platform and network monitoring software called SolarWinds-Core-v2019.4.5220-Hotfix5.msp which was distributed from the vendor’s website. This update is signed by the software company using an older certificate from Symantec provided by DigiCert.
The file SolarWinds-Core-v2019.4.5220-Hotfix5.msp contains a malicious DLL file called SolarWinds.Orion.Core.BusinessLayer.dll that gets loaded by the legitimate process SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
After the hotfix update is installed legitimately by an organization administrator, the malware lays dormant only activating if the attackers deem the environment to be of sufficient value.
The second stage payload begins when the malicious DLL queries for a hardcoded domain that provides the location of where to download the next file. When the appropriate command & control server is found, it downloads a backdoor called Teardrop that runs through a series of the registry key and file header checks before extracting CobaltStrike. CobaltStrike then connects to the next command & control server which may vary depending on which image file (.jpg) the header gets pulled from.
Once the attacker installs CobaltStrike, it then downloads a new DLL file called resources.dll. This executes WMI (Windows Management Instrumentation) to query lsass.exe for usable credentials to dump, much like Mimikatz. The bad actor can then query Active Directory using a tool called Adfind to save specific results.
It is important to note that the bad actor has created localized C2 infrastructure mimicking the naming conventions found in the target’s environment to reduce suspicion.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.