S0559 SUNBURST
SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.32
| Item | Value |
|---|---|
| ID | S0559 |
| Associated Names | Solorigate |
| Type | MALWARE |
| Version | 2.2 |
| Created | 05 January 2021 |
| Last Modified | 19 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Solorigate | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.1 |
| enterprise | T1071.004 | DNS | SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | SUNBURST used VBScripts to initiate the execution of payloads.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | SUNBURST used Base64 encoding in its C2 traffic.1 |
| enterprise | T1005 | Data from Local System | SUNBURST collected information from a compromised host.41 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | SUNBURST added junk bytes to its C2 over HTTP.1 |
| enterprise | T1001.002 | Steganography | SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.156 |
| enterprise | T1001.003 | Protocol Impersonation | SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.1 |
| enterprise | T1568 | Dynamic Resolution | SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.012 | Image File Execution Options Injection | SUNBURST created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of Cobalt Strike.2 |
| enterprise | T1083 | File and Directory Discovery | SUNBURST had commands to enumerate files and directories.14 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.5 |
| enterprise | T1070 | Indicator Removal on Host | SUNBURST removed IFEO and HTTP proxy registry values to clean up traces of execution. SUNBURST also removed the firewall rules it created during execution.2 |
| enterprise | T1070.004 | File Deletion | SUNBURST had a command to delete files.14 |
| enterprise | T1105 | Ingress Tool Transfer | SUNBURST delivered different payloads, including TEARDROP in at least one instance.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.2 |
| enterprise | T1112 | Modify Registry | SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\[service_name]\Start registry entries to value 4.14 It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.2 |
| enterprise | T1027 | Obfuscated Files or Information | SUNBURST strings were compressed and encoded in Base64.4 SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.1 |
| enterprise | T1027.005 | Indicator Removal from Tools | SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.7 |
| enterprise | T1057 | Process Discovery | SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.1 |
| enterprise | T1012 | Query Registry | SUNBURST collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution.45 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | SUNBURST was digitally signed by SolarWinds from March - May 2020.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | SUNBURST used Rundll32 to execute payloads.2 |
| enterprise | T1082 | System Information Discovery | SUNBURST collected hostname, OS version, and device uptime.14 |
| enterprise | T1016 | System Network Configuration Discovery | SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.1 |
| enterprise | T1033 | System Owner/User Discovery | SUNBURST collected the username from a compromised host.14 |
| enterprise | T1007 | System Service Discovery | SUNBURST collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.4 |
| enterprise | T1497.003 | Time Based Evasion | SUNBURST remained dormant after initial access for a period of up to two weeks.1 |
| enterprise | T1047 | Windows Management Instrumentation | SUNBURST used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 189 |
References
-
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. ↩↩↩↩↩↩↩↩
-
Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021. ↩
-
MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. ↩↩↩↩↩↩↩↩↩
-
Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021. ↩↩↩
-
Symantec Threat Hunter Team. (2021, January 22). SolarWinds: How Sunburst Sends Data Back to the Attackers. Retrieved January 22, 2021. ↩
-
CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. ↩
-
Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. ↩
-
Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. ↩