Second-stage backdoor possibly linked to Solorigate campaign.
FireEye has identified a second-stage backdoor dubbed "SUNSHUTTLE" that the security firm thinks may be linked to the threat actor they track as UNC2452. UNC2452 has been associated with the SolarWinds supply chain exploitation, but FireEye stresses that its researchers "have not fully verified" a connection with SUNSHUTTLE.
The backdoor was "uploaded by a U.S.-based entity to a public malware repository in August 2020," and the researchers say the malware was observed at an entity that had been compromised by UNC2452. The researchers summarize, "SUNSHUTTLE is written in GO, and reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution. Notably, SUNSHUTTLE uses cookie headers to pass values to the C2, and if configured, can select referrers from a list of popular website URLs to help such network traffic 'blend in.'"
FireEye adds, "The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its “blend-in” traffic capabilities for C2 communications. SUNSHUTTLE would function as second-stage backdoor in such a compromise for conducting network reconnaissance alongside other SUNBURST-related tools."
Microsoft (which tracks the Solorigate threat actor as "NOBELIUM") has published its own analysis of the backdoor, along with two other tools the company calls "GoldFinder" and "Sibot." The researchers say the malware was used from August to September 2020, though it may have been placed on systems in June 2020. Microsoft states, "These tools are new pieces of malware that are unique to this actor. They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions. These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence."
And WIRED says the known victims of the Solorigate cyberespionage campaign now include NASA and the US Federal Aviation Administration (FAA).