The trojanized version of the SolarWinds update was named Sunburst. It was a digitally signed component of the Orion software framework that contained a backdoor that communicates over HTTP to third-party servers. Since it was coming from a trusted third-party provider and was digitally signed, it was installed by SolarWinds customers. In addition to having a backdoor, Sunburst also uses obfuscated blocklists to identify security and antivirus tools running as processes, services, and drivers.

The SuperNova malware was originally identified during the analysis of Sunburst and was assumed to be part of Sunburst. However, based on new analysis, the SuperNova malware is distinct from Sunburst and leverages a zero-day vulnerability to install a trojanized .net DLL. Unlike the Sunburst DLL, SuperNova is not digitally signed and this could have been a means for cyber analysts to identify it earlier on. The functionality is similar to Sunburst; the malware that is loaded is a web shell and acts as a backdoor providing persistent access to web servers. What makes this web shell difficult is that it is built to run in memory which makes it difficult to detect and for forensic analysts to find during post-breach activities. Many believe that the SuperNova malware may be the work of a completely different threat actor, which would mean that two threat actors were able to gain access via the same method. You can read a detailed breakdown of the malware here.

 

Furthermore, Sunburst has been connected to the Kazuar malware family, Kazuar was a .net-based malware first discovered by Palo Alto back in 2017. Research published by Kaspersky discovered that several of the features in Sunburst overlap with Kazuar. Kaspersky’s analysis has revealed the following similarities between Sunburst and Kazuar:

You can read the details of the connections between Sunburst and Kazuar here.

The Cybersecurity and Infrastructure Security Agency (CISA) has provided a regularly updated cybersecurity advisory on how to handle potential compromises associated with the SolarWinds outbreak, which can be found here. This advisory was released on December 17th and applies to government agencies, critical infrastructure, and private sector organizations. It provides regular updates on the investigation, mitigation guidance, indicators of compromise, and more. You can find some supplementary information on the CISA’s offerings here.

The effects of the SolarWinds breach have been extensive. Symantec, who also analyzed the attack, identified the trojanized software updates on over 2,000 computers at more than 100 customers. Fortunately, one killswitch has been identified and activated for one of the pieces of malware used by the threat actors as part of their attack. It has been found that the IP address that Sunburst communicates with resolves to the domain avsmcloud.com. A quote from a FireEye spokesperson to Security Week had this to say: “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.” You can read more about this killswitch here.