![]() ![]() ![]() The shared features between Sunburst and Kazuar include the victim UID generation algorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate string comparisons. ![]() NET backdoor first reported in 2017 and tentatively linked to the Turla APT group. In our initial report on Sunburst, we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation.įurther investigation of the Sunburst backdoor revealed several features that overlap with a previously identified backdoor known as Kazuar, a. For example, before making the first internet connection to its C2s, the Sunburst malware lies dormant for up to two weeks, preventing easy detection of this behaviour in sandboxes. This was a sophisticated attack that employed several methods to try to remain undetected for as long as possible. Out of the 18,000 Orion IT customers affected by the malware, it seems that only a handful were of interest to the attackers. One thing that sets this campaign apart from others, is the peculiar victim profiling and validation scheme. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia. The company’s Orion IT, a solution for monitoring and managing customers’ IT infrastructure, was compromised by threat actors. In December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. Targeted attacks Putting the ‘A’ into APT
0 Comments
Leave a Reply. |