SolarWinds' digital certificate hasn't been revoked yet.
The full compromised package is still being hosted online as well 😓 hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp
Job class within the backdoored #Sunburst DLL is pretty straight forward and aligns with @FireEye's analysis. CollectSystemDescription:
DeleteFile
DeleteRegistryValue
FileExists
#UNC2452 prefers MD5 for their file hashing routine
#UNC2452's DirList is savvy enough to always expand environment variables. Doesn't appear to have any recursion or depth arguments for DirWalk'ing.
Use of token manipulation was underwhelming. Sets process privilege to SeTakeOwnershipPrivilege, SeRestorePrivilege, and SeShutdownPrivilege.
Domain1 = avsvmcloud.com
(just like the report said). Thus far all analysis has held up (no real surprise there).
One of the anomalous #SUNBURST DLLs from October 2019 that Microsoft highlighted can be found in the SolarWinds Coreinstall.msi for 2019.4.5220.20161 - hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20161/CoreInstaller.msi
Malicious #SUNBURST DLL CE77D116A074DAB7A22A0FD4F2C1AB475F16EEC42E1DED3C0B0AA8211FE858D6 from May 2020 can be found in CoreInstaller.msi for 2020.2.5320.27438 -hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2020.2/2020.2.5320.27438/CoreInstaller.msi
Malicious #SUNBUST DLL 019085A76BA7126FFF22770D71BD901C325FC68AC55AA743327984E89F4B0134 from April 2020 can be found in CoreInstaller.msi for 2020.2.5220.27327 - hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2020.2/2020.2.5220.27327/CoreInstaller.msi
For those asking about the "obfuscation" of strings, here's a quick and dirty way to convert their base64 into a cleartext result. gist.github.com/KyleHanslovan/…
This gist emulates the ZipHelper class method Unzip() which base64 decodes then calls Decompress(). gist.github.com/KyleHanslovan/…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
LOTS of folks asked me about the sophistication of these attacks, the response actions I expect will happen, and the always fun attribution. This thread will cover those topics. (cue scary political hacker image)
Starting w/the #SUNBURST backdoor, the actor's approach to hiding source code in plain sight was simple/classy. They studied Orion's code and naming conventions to make sure even SolarWinds devs would not take immediate notice. OrionImprovementBusinessLayer does not stand out.
The malicious methods are PascalCase and also start with familiar verb prefixes like Get* and Is*.
Was just shown the SolarWinds.Orion.Core.BusinessLayer.dll is included in n-Central's Probe installer by @KelvinTegelaar. WindowsProbeSetup.exe is signed by the same certificate. However the DLL backdoored with #SUNBURST is not signed and appears to be a 2014 version. #Looking
The unsigned SolarWinds.Orion.Core.BusinessLayer.dll binary from my copy of the Windows probe installer had hash B9CE678F9DAF32C526211EDEA88B5EC104538C75FAD13767EA44309E9F81DBFC. No OrionImprovementBusinessLayer class within this version (comparison screens attached).
The default installation directory for this binary is "C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin". Going to have the team do a quick survey across all hosts to see if anything shakes up. Will report back what we find (hoping nothing 😅)
EMOTET ANALYSTS: Everyday, our team sees 5-15 clients networks wrecked by Emotet. Cleanup/response can take 3d - 3mo depending on IT department skills, tools, and telemetry. We’re creating a “synchronized” removal capability and could use additional perspective. 1/x
We know the core of lateral movement for Emotet, TrickBot, Qakbot, etc. is abusing of elevated creds/tokens, standard local admin passwords, and MS17-010 for poorly maintained networks. With these, payloads are dropped to remote shares via SMB & started via remote services. 2/x
For starts, we could use some perspective to make sure there’s not more we’re missing in regards to lateral movement.
We are aware of email spreading and browser password scraping plugins. However, we like to scope this to stopping local self-propagation of the bot first. 3/x