facebook no scriptSecure Blink Blogs
Solarwinds
SUNSPOT: An injective attempt to execute a manual supply chain attack
Threat actors leveraged SUNSPOT to automatically inject the SUNBURST backdoor into the Orion app build process after executing the manual supply chain attack.
thumbnail
26 Jan 2021
10 min read

SUNSPOT was discovered on disk with a filename of taskhostsvc.exe (SHA256 Hash: c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168), by CloudStrike. It is a StellarParticle's malware strain internally dubbed as taskhostw.exe by its developers. Cybersecurity researchers at CloudStrike deciphered its direct involvement while analysing the threat actors intent behind the SolarWinds attack. The analysis revealed that threat actors leveraged SUNSPOT to automatically inject the SUNBURST backdoor into the Orion app build process after executing the manual supply chain attack. It is a software type often used by the developers to assemble smaller components to larger software applications. Besides, it was considered the third malware strain, followed by SUNBURST (Solorigate) & TEARDROP. However, it was deployed by the threat actors back in September 2019 by replacing the source code with a malicious code to breach into the SolarWinds system at the beginning of this Cyberespionage remaining dormant.

When SUNSPOT learns about the solution file path of Orion in a running MsBuild.exe process, it displaces a source code file in the solution directory.

While SUNSPOT supports replacing multiple files, the identified copy only returns InventoryManager.cs.

The SUNBURST malicious code and target file paths are stored in an AES128-CBC encrypted blob and are protected using the same key and initialisation vector.

As directing to build errors would most likely prompt troubleshooting actions from the Orion developers and lead to the adversary’s discovery. SUNSPOT developers included a hash verification check, likely to ensure that the injected backdoored code is compatible with a known source file, and also avoid replacing the file with garbage data from a failed decryption.

In the exemplar SUNSPOT sample, the MD5 hash for the backdoored source code is 5f40b59ee2a9ac94ddb6ab9e3bd776ca.

It prioritised operational security to avoid revealing their presence in the built environment to SolarWinds developers.

"The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritised operational security to avoid revealing their presence in the built environment to SolarWinds developers," CrowdStrike found.

"This highly sophisticated and novel code was designed to inject the SUNBURST malicious code into the SolarWinds Orion platform without arousing the suspicion of our software development and build teams," SolarWinds CEO Sudhakar Ramakrishna added.

INVESTIGATIVE ANALYSIS

The initial investigation indicated the possible involvement of Russian backed support to execute the SolarWinds attack, which later tracked down the link with UNC2452 discovered by FireEye and Dark Halo by Volexity.

CrowdStrike told SUNSPOT had one singular intent, i.e., to keep an eye on the build server for build commands that assembled Orion platform used by more than 33,000 customers globally.

It monitors the running processes for those involved in the Orion product's compilation and replaces one of the source files to include the SUNBURST backdoor code.

Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

It was likely built on 20 20-02-20 11:40:02, according to the build timestamp found in the binary, consistent with the currently assessed StellarParticle manual supply chain attack timeline. StellarParticle operators maintained the endurance of SUNSPOT by creating a scheduled task set to execute when the host boots.

When SUNSPOT inserted by StellarParticle led to creates a mutex named {12d61a41-4b74-7610-a4d8-3028d2f56395} to ensure that it was running with singular instances. It then makes an encrypted log file at C:\Windows\Temp\vmware-vmdmp.log. Private log entries are encrypted with the stream cypher RC4, using the hard-coded key FC F3 2A 83 E5 F6 D0 24 A6 BF CE 88 30 C2 48 E7. Over the execution, SUNSPOT will log errors to this file, along with other deployment details. Log entries are outlined by the HEX string 32 78 A5 E7 1A 79 91 AC and start with the number of seconds elapsed since the first logline. Most log lines corresponding to an error include a step number assigning malware knowledge to infer their definition.

The actual execution order isn't followed by step numberings, signifying the developers added the calls to the logging function while creating the malware as they progressed and required, to focus their efforts on debugging a part of the source code. A log file extraction generated by SUNSPOT in a test environment is highlighted down below.

0.000 START

22.781[3148] + 'msbuild.exe' [6252] 181.421[3148] - 0

194.343[3148] -

194.343[13760] + 'msbuild.exe' [6252] 322.812[13760] - 0

324.250[13760] -

324.250[14696] + 'msbuild.exe' [6252] 351.125[14696] - 0

352.031[14176] + 'msbuild.exe' [6252] 369.203[14696] -

375.093[14176] - 0

376.343[14176] -

376.343[11864] + 'msbuild.exe' [6252] 426.500[11864] - 0

439.953[11864] -

439.953[9204] + 'msbuild.exe' [6252] 485.343[9204] Solution directory: C:\Users\User\Source

485.343[ERROR] Step4('C:\Users\User\Source\Src\Lib\SolarWinds.Orion.Core.BusinessLayer\BackgroundInventory\InventoryManager.cs') fails

The malware strain allowed to debug itself by modifying its security token to add SeDebugPrivilege. It is a prerequisite step for the remainder of SUNSPOT’s execution, which involves reading other processes memory.

SolarWinds-attack_timeline

Source: SolarWinds

With the recovery of several SUNBURST samples, a fourth malware strain came into the limelight, which is not likely to link with StellarParticle. However, it used the same trojanized Orion builds in delivering the payloads. Symantec, which said to identify this malware strain termed as Raindrop for the first time during the analysis of SolarWinds manual supply chain attack was also discovered by Palo Alto Networks Unit 42 & Microsoft in the same process.

Raindrop was used by the threat actors at the very last stage of the SolarWinds cyber intrusion deployed only on the networks of very few selected targets.

Symantec was able to find it encountered only four Raindrop samples to date.

Additional malware strain, labelled as SUPERNOVA, was deployed as a DLL file that allowed threat actors to remotely send, compile, and execute C# code on compromised machines.

Source: CloudStrike