On December 8th, FireEye announced that it had suffered an attack in which the company's proprietary Red Team tools were exposed. In response, they published IOCs that allow the use of the tools to be identified.
Shortly after, they reported back to the community about an attack in which SolarWinds software was compromised. Specifically, the problem lies in the updates to the legitimate SolarWinds Orion software for versions 2019.4 to 2020.2.1. FireEye reported that it had discovered a trojan in the software that enables malware to be distributed, which they have named SUNBURST. Microsoft, for its part, has named the malware Solorigate. The malware installs a backdoor that allows communication to be established with a C2 server, in addition to executing commands.
The backdoor is found in SolarWinds.Orion.Core.BusinessLayer.dll, which is actually a SolarWinds digitally-signed component, thus constituting a supply chain attack. The malware is installed as part of the legitimate software's update routine.
Update package containing SolarWinds.Orion.Core.BusinessLayer.dll, query made: December 14, 2020
This backdoor remains inactive for 12 to 14 days before trying to connect to the C2 server, connecting to the avsvmcloud[.]com domain. The malware is capable of executing a set of commands that allow it to obtain information about the system configuration, transfer and execute files, restart the computer and disable system services. These commands are grouped as "Jobs".
List of jobs to be executed
Communication with the C2 servers is done through HTTP traffic, disguised with the characteristics of legitimate products, in particular the OIP protocol (Orion Improvement Program). The function in charge of communicating with the C2 is HttpHelper.Initialize.
Part of the HttpHelper.initialize function
Furthermore, the malware is capable of identifying known antivirus and forensic tools as part of its way of operating.
As part of their report, investigators have pointed out that in some samples the attackers use a dropper that is governed by a new way of operating. The dropper has been named TEARDROP by FireEye and one of its noteworthy features is the fact that it runs as a service, it creates a thread and reads from the file “gracious_truth.jpg” that contains a false header. The dropper decodes the payload using a custom rolling XOR algorithm and loads another embedded payload into memory using a custom PE format. One of the hypotheses is that its main purpose is to execute a modified version of beacon for CobaltStrike.
Detection and Kill Switch
The affected versions of SolarWinds Orion correspond to those published between March and June of 2020 (from 2019.4 HF5 to 2020.2.1). Both FireEye and other companies have shared detection rules for this malware. In the case of FireEye, they can be found on the GitHub page. On the other hand, Volexity associated this attack with the Dark Halo group and provided information regarding the set of commands executed by the attackers.
YARA rules for the detection of the TEARDROP dropper (https://github.com/fireeye/sunburst_countermeasures/blob/main/all-yara.yar)
Description of detection rules for one of the samples available on VirusTotal
On the other hand, Microsoft, FireEye and GoDaddy collaborated to create a kill switch for the backdoor after taking over the domain used by the malware to contact the C2 (avsvmcloud[.]com). The kill switch is based on domain resolution. Under GoDaddy's control, any subdomain will resolve to IP 188.8.131.52, which, being within the range of IPs blocked by the malware (184.108.40.206/15), will cause the malware to terminate and stop it from running again. However, this kill switch for the SOLORIGATE backdoor does not prevent the malware from using additional persistence mechanisms.
The supply chain attack on SolarWinds software is proof that maintaining an active monitoring system over running systems and processes is critical. This malware waits about two weeks to become active, enough time for the updates to be installed on the system and to try to hide its operations. Its camouflage is based on the tool that hosts it, which is seen as reliable by the system, meaning monitoring systems could fail to notice the traffic for quite some time.
Although this malware's impact is only beginning to be discovered just now, its preparation has taken much longer. It is also worth noting that SolarWinds reported that around 33,000 customers were affected, although only 18,000 were using a trojanized version of their software. This points to another problem derived from this type of attack, which is precisely how the damage can go beyond the affected infrastructure, spreading to our trusted network.