Since the end of last year, security researchers, companies and authorities have been intensively analyzing supply chain attack tactics on SolarWinds Orion software that criminal hackers successfully used to compromise networks of large companies and authorities. Over the past few weeks, the analyzes have uncovered other malware families that were used in the course of the attacks: “Sunburst” and “Teardrop” have been joined by “Sunspot” and “Raindrop”; the analyzed samples are from the previous year.

Long known: Sunburst and Teardrop Sunburst is the malware that, after being compromised, enabled remote access to compromised systems via backdoor using manipulated Orion software updates.

For some sunbursts Microsoft and FireEye had already built a kill switch in mid-December 2020. However, they had not averted the danger for already compromised systems: The KiIllswitch only worked with Sunburst variants that communicate with a specific domain registered by Microsoft.

Sunburst also has a backdoor installation the ability to smuggle further malicious code onto the system. According to a Sunburst analysis by FireEye in mid-December 2020, one of the payloads at the time was a teardrop. Teardrop is in turn a dropper that – at least at the time of the analysis in December – typically extracted a component of the Cobalt Strike (Beacon) software from itself. Cobalt Strike is actually a penetration testing tool, which in this case was used to spy on and communicate with the attackers.

Newly discovered: Sunspot and Raindrop malware analysts at Crowdstrike published a detailed blog entry on Sunspot, another malware family, last week. Sunspot has no current relevance: the criminals apparently used the malware in February 2020, after gaining access to Orion’s software build system, as an aid to the Injecting sunburst malware code into Orion updates. The prepared updates were then primarily distributed to SolarWinds customers in the period from March to June 2020.

Already the name of the fourth malware Family, Raindrop, suggests that this is also a dropper. Symantec describes Raindrop in an analysis from last Monday and also compares the dropper in detail with the teardrop. Both were used in the middle of last year after the Sunburst backdoor installation to reload the Cobalt Strike Beacon, but in different configurations. However, they have differences in terms of camouflage mechanisms and the embedding and encryption of the payload in their own code.

According to Symantec, the most important difference: While Teardrop was used on the computers on which Sunburst was previously installed Raindrop apparently primarily served to install the payload on other systems in the network and thus to expand the attacker’s reach.

Attackers are looking for new ways Further information for those interested and affected such as Indicators of Compromise or special YARA rules can be found in the linked analyzes. They make it clear that Sunburst is, so to speak, the center of the four malware families known to date: The malicious code has “opened the door” for the attackers and is possibly still holding the door open on some systems.

How The malware is still relevant for the attackers at this point in time is unclear: Researchers already pointed out in December that the group had quickly switched to other strategies in order to make itself permanent in view of the interrupted supply chain and the discovery of the sunburst details Secure backdoor access to compromised systems. Recently, a new initial attack path apart from the Orion software became known. This underlines the flexibility of the criminals and shows that they continue to pose a great risk – even for companies that have not been affected so far.

(ovw)