1. Home
  2. Software
  3. SUNBURST

SUNBURST

SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[1][2]

ID: S0559
Associated Software: Solorigate
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security; Matt Brenton, Zurich Insurance Group
Version: 2.5
Created: 05 January 2021
Last Modified: 26 December 2023

Associated Software Descriptions

Name Description
Solorigate

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

SUNBURST used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.[3]
Enterprise T1546 .012 事件触发执行: Image File Execution Options Injection

SUNBURST created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of Cobalt Strike.[2]
Enterprise T1005 从本地系统获取数据

SUNBURST collected information from a compromised host.[4][3]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.[2]

Enterprise T1112 修改注册表

SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\[service_name]\Start registry entries to value 4.[3][4] It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.[2]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.[3]
Enterprise T1568 动态解析

SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.[3]
Enterprise T1059 .005 命令与脚本解释器: Visual Basic

SUNBURST used VBScripts to initiate the execution of payloads.[2]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.[5]
Enterprise T1071 .001 应用层协议: Web Protocols

SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.[3]
.004 应用层协议: DNS

SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.[3]
Enterprise T1001 .001 数据混淆: Junk Data

SUNBURST added junk bytes to its C2 over HTTP.[3]
.002 数据混淆: Steganography

SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.[3][5][6]
.003 数据混淆: Protocol or Service Impersonation

SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.[3]
Enterprise T1132 .001 数据编码: Standard Encoding

SUNBURST used Base64 encoding in its C2 traffic.[3]
Enterprise T1083 文件和目录发现

SUNBURST had commands to enumerate files and directories.[3][4]
Enterprise T1012 查询注册表

SUNBURST collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts.[3]
Enterprise T1027 混淆文件或信息

SUNBURST strings were compressed and encoded in Base64.[4] SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.[3]
.005 Indicator Removal from Tools

SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.[7]

Enterprise T1070 移除指标

SUNBURST removed HTTP proxy registry values to clean up traces of execution.[2]
.004 File Deletion

SUNBURST had a command to delete files.[3][4]
.007 Clear Network Connection History and Configurations

SUNBURST also removed the firewall rules it created during execution.[2]
.009 Clear Persistence

SUNBURST removed IFEO registry values to clean up traces of persistence.[2]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

SUNBURST used Rundll32 to execute payloads.[2]

Enterprise T1082 系统信息发现

SUNBURST collected hostname and OS version.[3][4]
Enterprise T1033 系统所有者/用户发现

SUNBURST collected the username from a compromised host.[3][4]
Enterprise T1124 系统时间发现

SUNBURST collected device UPTIME.[3][4]
Enterprise T1007 系统服务发现

SUNBURST collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[3]
Enterprise T1016 系统网络配置发现

SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.[3]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.[4]
.003 虚拟化/沙盒规避: Time Based Evasion

SUNBURST remained dormant after initial access for a period of up to two weeks.[3]
Enterprise T1518 .001 软件发现: Security Software Discovery

SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution.[4][5]
Enterprise T1105 输入工具传输

SUNBURST delivered different payloads, including TEARDROP in at least one instance.[3]
Enterprise T1057 进程发现

SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[3]
Enterprise T1553 .002 颠覆信任控制: Code Signing

SUNBURST was digitally signed by SolarWinds from March - May 2020.[3]

Groups That Use This Software

ID Name References
G0016 APT29

[3][8][9][10][11][12]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[3][2][6][1][5][13]

References

  1. Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.
  2. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  3. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  4. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  5. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  6. Symantec Threat Hunter Team. (2021, January 22). SolarWinds: How Sunburst Sends Data Back to the Attackers. Retrieved January 22, 2021.
  7. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  1. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  2. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  3. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  4. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  5. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.
  6. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.