Sunburst
Sunburst is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by UNC2452 since at least February 2020.[1][2]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
Sunburst used DNS for C2 traffic designed to mimic normal SolarWinds API communications.[3] |
.001 | Application Layer Protocol: Web Protocols |
Sunburst communicated via HTTP GET or HTTP POST requests to third party servers for C2.[3] |
||
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Sunburst used VBScripts to initiate the execution of payloads.[2] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
Enterprise | T1005 | Data from Local System |
Sunburst collected information from a compromised host.[4][3] |
|
Enterprise | T1001 | .003 | Data Obfuscation: Protocol Impersonation |
Sunburst masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.[3] |
.002 | Data Obfuscation: Steganography |
Sunburst C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.[3][5][6] |
||
.001 | Data Obfuscation: Junk Data | |||
Enterprise | T1568 | Dynamic Resolution |
Sunburst dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.[3] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Sunburst encrypted C2 traffic using a single-byte-XOR cipher.[3] |
Enterprise | T1546 | .012 | Event Triggered Execution: Image File Execution Options Injection |
Sunburst created an Image File Execution Options (IFEO) Debugger registry value for the process |
Enterprise | T1083 | File and Directory Discovery |
Sunburst had commands to enumerate files and directories.[3][4] |
|
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Sunburst attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.[5] |
Enterprise | T1070 | Indicator Removal on Host |
Sunburst removed IFEO values to clean up traces of execution.[2] |
|
.004 | File Deletion | |||
Enterprise | T1105 | Ingress Tool Transfer |
Sunburst delivered different payloads, including Teardrop in at least one instance.[3] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Sunburst created VBScripts that were named after existing services or folders to blend into legitimate activities.[2] |
Enterprise | T1112 | Modify Registry |
Sunburst had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their |
|
Enterprise | T1027 | Obfuscated Files or Information |
Sunburst strings were compressed and encoded in Base64.[4] Sunburst also obfuscated collected system information using a FNV-1a + XOR algorithm.[3] |
|
.005 | Indicator Removal from Tools |
Sunburst source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to Sunspot.[7] |
||
Enterprise | T1057 | Process Discovery |
Sunburst collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[3] |
|
Enterprise | T1012 | Query Registry |
Sunburst collected the registry value |
|
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 | |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Sunburst checked for a variety of antivirus/endpoint detection agents prior to execution.[4][5] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Sunburst was digitally signed by SolarWinds from March - May 2020.[3] |
Enterprise | T1082 | System Information Discovery |
Sunburst collected hostname, OS version, and device uptime.[3][4] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Sunburst collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.[3] |
|
Enterprise | T1033 | System Owner/User Discovery |
Sunburst collected the username from a compromised host.[3][4] |
|
Enterprise | T1007 | System Service Discovery |
Sunburst collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[3] |
|
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Sunburst remained dormant after initial access for a period of up to two weeks.[3] |
.001 | Virtualization/Sandbox Evasion: System Checks |
Sunburst checked the domain name of the compromised host to verify it was running in a real environment.[4] |
||
Enterprise | T1047 | Windows Management Instrumentation |
Sunburst used the WMI query |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0118 | UNC2452 |
References
- Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
- Symantec Threat Hunter Team. (2021, January 22). SolarWinds: How Sunburst Sends Data Back to the Attackers. Retrieved January 22, 2021.
- CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.