Sunburst

Sunburst is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by UNC2452 since at least February 2020.[1][2]

ID: S0559
Type: MALWARE
Platforms: Windows
Contributors: Matt Brenton, Zurich Insurance Group
Version: 1.0
Created: 05 January 2021
Last Modified: 25 January 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

Sunburst used DNS for C2 traffic designed to mimic normal SolarWinds API communications.[3]

.001 Application Layer Protocol: Web Protocols

Sunburst communicated via HTTP GET or HTTP POST requests to third party servers for C2.[3]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Sunburst used VBScripts to initiate the execution of payloads.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Sunburst used Base64 encoding in its C2 traffic.[3]

Enterprise T1005 Data from Local System

Sunburst collected information from a compromised host.[4][3]

Enterprise T1001 .003 Data Obfuscation: Protocol Impersonation

Sunburst masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.[3]

.002 Data Obfuscation: Steganography

Sunburst C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.[3][5][6]

.001 Data Obfuscation: Junk Data

Sunburst added junk bytes to its C2 over HTTP.[3]

Enterprise T1568 Dynamic Resolution

Sunburst dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.[3]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Sunburst encrypted C2 traffic using a single-byte-XOR cipher.[3]

Enterprise T1546 .012 Event Triggered Execution: Image File Execution Options Injection

Sunburst created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of Cobalt Strike.[2]

Enterprise T1083 File and Directory Discovery

Sunburst had commands to enumerate files and directories.[3][4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Sunburst attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.[5]

Enterprise T1070 Indicator Removal on Host

Sunburst removed IFEO values to clean up traces of execution.[2]

.004 File Deletion

Sunburst had a command to delete files.[3][4]

Enterprise T1105 Ingress Tool Transfer

Sunburst delivered different payloads, including Teardrop in at least one instance.[3]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sunburst created VBScripts that were named after existing services or folders to blend into legitimate activities.[2]

Enterprise T1112 Modify Registry

Sunburst had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\[service_name]\Start registry entries to value 4.[3][4] It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.[2]

Enterprise T1027 Obfuscated Files or Information

Sunburst strings were compressed and encoded in Base64.[4] Sunburst also obfuscated collected system information using a FNV-1a + XOR algorithm.[3]

.005 Indicator Removal from Tools

Sunburst source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to Sunspot.[7]

Enterprise T1057 Process Discovery

Sunburst collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[3]

Enterprise T1012 Query Registry

Sunburst collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts.[3]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Sunburst used Rundll32 to execute payloads.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Sunburst checked for a variety of antivirus/endpoint detection agents prior to execution.[4][5]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Sunburst was digitally signed by SolarWinds from March - May 2020.[3]

Enterprise T1082 System Information Discovery

Sunburst collected hostname, OS version, and device uptime.[3][4]

Enterprise T1016 System Network Configuration Discovery

Sunburst collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.[3]

Enterprise T1033 System Owner/User Discovery

Sunburst collected the username from a compromised host.[3][4]

Enterprise T1007 System Service Discovery

Sunburst collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[3]

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Sunburst remained dormant after initial access for a period of up to two weeks.[3]

.001 Virtualization/Sandbox Evasion: System Checks

Sunburst checked the domain name of the compromised host to verify it was running in a real environment.[4]

Enterprise T1047 Windows Management Instrumentation

Sunburst used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.[3]

Groups That Use This Software

ID Name References
G0118 UNC2452

[3]

References