At a glance.
- Possible ties between Sunburst and Turla backdoor.
- A look at the malware used to insert Sunburst into SolarWinds Orion.
- APT37 uses self-decoding macros to inject RokRat.
Possible ties between Sunburst and Turla backdoor.
Researchers at Kaspersky have identified possible links between the Sunburst malware used in the Solarigate incident and the Kazuar backdoor used by the Russian APT Turla. Kazuar is a .NET backdoor first identified by Palo Alto Networks' Unit 42 in 2017. Its most recent version was spotted by Kaspersky on December 29th, 2020. Its similarities to Sunburst involve "the victim UID generation algorithm, the sleeping algorithm, and the extensive usage of the FNV-1a hash."
Both strains of malware create unique victim identifiers by generating an MD5 hash from a given string, then performing an XOR operation on the hash, although Kazuar and Sunburst each use slightly different methods to achieve this. Kazuar and Sunburst also use "exactly the same formula" to delay an initial connection to their command-and-control server, although Sunburst's code for this sleeping algorithm is slightly more simplified. Finally, both strains of malware use modified 64-bit FNV-1a hashing algorithms to conceal plaintext strings throughout their code.
Kaspersky notes that while these features are unusual, they aren't unique to these two strains of malware. As a result, the researchers are careful to avoid attributing Sunburst to Turla based on this evidence, noting that the group behind Sunburst displayed outstanding operational security and could have included these features as false flags. The researchers lay out the following possibilities:
- "Sunburst was developed by the same group as Kazuar.
- "The Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used Kazuar as an inspiration point).
- "Both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source.
- "Some of the Kazuar developers moved to another team, taking knowledge and tools with them.
- "The Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group."
Kaspersky concludes, "At the moment, we do not know which one of these options is true. While Kazuar and Sunburst may be related, the nature of this relation is still not clear. Through further analysis, it is possible that evidence confirming one or several of these points might arise."
A look at the malware used to insert Sunburst into SolarWinds Orion.
CrowdStrike describes Sunspot, an implant that was used by the SolarWinds hackers to insert their Sunburst malware into SolarWinds' Orion software. The malware was placed on the company's software build servers, where it would monitor "running processes for those involved in compilation of the Orion product and [replace] one of the source files to include the SUNBURST backdoor code." Sunspot seems to have been compiled on February 20, 2020, according to its build timestamp, which CrowdStrike says "is consistent with the currently assessed StellarParticle supply chain attack timeline." (StellarParticle is CrowdStrike's name for the activity cluster associated with this cyberespionage campaign.)
The researchers explain, "After initialization, SUNSPOT monitors running processes for instances of MsBuild.exe, which is part of Microsoft Visual Studio development tools....When SUNSPOT finds an MsBuild.exe process, it will spawn a new thread to determine if the Orion software is being built and, if so, hijack the build operation to inject SUNBURST. The monitoring loop executes every second, allowing SUNSPOT to modify the target source code before it has been read by the compiler."
CrowdStrike also notes that Sunspot's developers took extensive measures to prevent their malware from causing errors in the Orion build process, in order to avoid drawing the attention of SolarWinds developers.
APT37 uses self-decoding macros to inject RokRat.
Malwarebytes outlines a campaign by APT37, a threat actor associated with North Korea, that targeted individuals associated with the South Korean government. Based on the content of the spearphishing lure, this campaign was run in January of 2020. The researchers note that in the past APT37 has used spearphishing documents created with Hangul, a South Korean word processor, but in this case they opted to use Microsoft Office documents.
The attackers used a self-decoding macro in an Office document to inject another macro into memory. This macro then writes shellcode into the address space of Notepad, which in turn downloads the cloud-based remote access Trojan RokRat from Google Drive. RokRat's purpose is to steal information from the infected system.