Cybersecurity firm FireEye and Microsoft have uncovered a new backdoor malware, dubbed SUNSHUTTLE, which Russian hackers possibly leveraged to target multiple organizations’ IT networks after exploiting vulnerabilities in SolarWinds’ IT monitoring software.
Fresh reports from FireEye and Microsoft have uncovered the use of a second-stage backdoor, dubbed SUNSHUTTLE, by state-sponsored Russian hackers to compromise the networks of nearly a dozen U.S. government agencies and around 100 private organizations worldwide.
Here’s a new backdoor for ya: SUNSHUTTLE â˜€ï¸ ðŸšŒ
It’s written in GO and uses cookie headers to pass values to the C&C. If configured, it can select referrers from a list of popular web URLs to help such network traffic “blend in.”
Get all the details ðŸ‘‰ pic.twitter.com/cnT29J1SojOpens a new window
â€” Mandiant (@Mandiant) March 4, 2021Opens a new window
Mandiant, a subsidiary of FireEye, which is leading the company’s investigation into the SolarWinds attack, recently discovered the SUNSHUTTLE backdoor malware in a public malware repository. Researchers noted that the malware was uploaded to the repository by a U.S.-based entity back in August 2020.
â€œThe new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its â€˜blend-in’ traffic capabilities for C2 communications,â€ wrote FireEye researchers Lindsay SmithOpens a new window , Jonathan LeatheryOpens a new window , and Ben ReadOpens a new window in a blog post. â€œSUNSHUTTLE would function as a second-stage backdoor in such a compromise for conducting network reconnaissance alongside other SUNBURST-related tools.â€
Very few HTTP requests are ever naturally formed where the Referer comes of a root of something like facebook or . Great blog here by Microsoft talking GoldMax (aka SUNSHUTTLE) and its faux HTTP styles. pic.twitter.com/D1Ah21RIGfOpens a new window
â€” Steve Miller (@stvemillertime) March 4, 2021Opens a new window
SUNSHUTTLE is written in GoLang, an open-source programming language. According to researchers, SUNSHUTTLE enabled hackers to read a local configuration file embedded on the target system and communicate with a hard-coded command and control (C2) server over HTTPS. It also enabled an attacker to remotely upload and download files and carry out arbitrary command execution.
Security researchers have so far identified four malware strains, namely Sunspot, Sunburst, Teardrop, and Raindrop, that were deployed by hackers to execute the SolarWinds hack successfully. Mandiant continues to track UNC2542 (another term for the exploit) but has not been able to verify if hackers used SUNSHUTTLE in their attack campaign. Other companies also involved in the investigation include Palo Alto Networks’ Palo Alto Unit 42 (SolarStorm), Crowdstrike (StellarParticle), and Veloxity (Dark Halo).
Microsoft Uncovers 2 More Malware Strains Possible Used in SolarWinds Hack
Redmond-based Microsoft, which is also investigating the SolarWinds hack, also identified three new malware strains, including SUNSHUTTLE, which it calls GoldMax, that hackers possibly used. The other two malware strains identified by the company are Sibot and GoldFinger.
New backdoor malware with national security implications identified. #SunshuttleOpens a new window
â€” Steve Herman (@W7VOA) March 4, 2021Opens a new window
According to Microsoft, all three malware strains are regularly used in late-stage activity by the same threat actors. The company believes that SUNSHUTTLE (GoldMax) possibly infiltrated several organizations’ IT systems as far back as June last year, long before the SolarWinds hack took place.
Microsoft describes GoldMax as a second-stage C2 backdoor that exploits high-reputation domains to avoid detection by anti-malware defenses. â€œGoldMax/SUNSHUTTLE’s network behaviors â€“a combination of resold longstanding domains for C2 and decoy benign network trafficâ€“ are a solid example of why you don’t rely solely on network logging for anomaly detection. Endpoint visibility is key,â€ says Juan Andres Guerrero-SaadeOpens a new window , Principal Threat Researcher at SentinelOne.
Written in Microsoft’s VBScript programming language, Sibot is a dual-purpose malware that enables hackers to download and execute malicious DLL files in the System32 folder in Windows. â€œSibot reaches out to a legitimate but compromised website to download a DLL to a folder under System32. In observed instances the DLL is downloaded to C:windowssystem32drivers, renamed with a .sys extension, and then executed by rundll32,â€ said Ramin Nafisi of Microsoft Threat Intelligence Center and Andrea LelliOpens a new window of Microsoft 365 Defender Research Team.
GoldFinger, written in Google’s Go programming language, is an HTTP tracing tool designed to help threat actors identify and communicate with any existing points of discovery. It also allows attackers to check if their activities, such as communication with C2 through GoldMax, are being traced and logged.
â€œMicrosoft assesses that the newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise, even evading initial detection during incident response,â€ the company added.
Redmond also noted that each victim was targeted using tailor-made hacking infrastructure and tools. This creates a possibility of hackers using many more specialized tools and malware to gain access to enterprise systems by exploiting vulnerabilities in popular IT solutions, such as SolarWinds’ Orion and Accellion’s FTA, which are used by a large number of organizations worldwide.