1. Home
  2. Software
  3. SUNSPOT

SUNSPOT

SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[1]

ID: S0562
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 12 January 2021
Last Modified: 27 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

SUNSPOT was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\Windows\Temp\vmware-vmdmp.log.[1]

Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product.[1]
Enterprise T1140 反混淆/解码文件或信息

SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.[1]

Enterprise T1480 执行保护

SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.[1]

.002 Mutual Exclusion

SUNSPOT creates a mutex using the hard-coded value {12d61a41-4b74-7610-a4d8-3028d2f56395} to ensure that only one instance of itself is running.[1]

Enterprise T1565 .001 数据操控: Stored Data Manipulation

SUNSPOT created a copy of the SolarWinds Orion software source file with a .bk extension to backup the original content, wrote SUNBURST using the same filename but with a .tmp extension, and then moved SUNBURST using MoveFileEx to the original filename with a .cs extension so it could be compiled within Orion software.[1]
Enterprise T1083 文件和目录发现

SUNSPOT enumerated the Orion software Visual Studio solution directory path.[1]
Enterprise T1106 本机API

SUNSPOT used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the SUNBURST injection process.[1]

Enterprise T1027 混淆文件或信息

SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe process.[1]
Enterprise T1070 .004 移除指标: File Deletion

Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library.[1]
Enterprise T1134 访问令牌操控

SUNSPOT modified its security token to grants itself debugging privileges by adding SeDebugPrivilege.[1]
Enterprise T1057 进程发现

SUNSPOT monitored running processes for instances of MsBuild.exe by hashing the name of each running process and comparing it to the corresponding value 0x53D525. It also extracted command-line arguments and individual arguments from the running MsBuild.exe process to identify the directory path of the Orion software Visual Studio solution.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3][4][5]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[1]

References

  1. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  2. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  3. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  1. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  2. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.