Share this page!

Itay Cohen🌱 Profile picture
Twitter logo
16 Dec, 5 tweets, 3 min read
The attackers behind the #SUNBURST malware put a lot of effort into trying to avoid detection by analysts and security vendors. Not only this, but they also tried to make sure to stay under the radar of #SolarWinds developers and employees. A thread >>
When brute-forcing the FNV-1a hashes embedded in #SUNBURST, I noticed that some of the cracked strings look like domain names of #SolarWinds internal networks across the globe. If the domain of the infected computer ends with one of these names, the malware would not run >>
In addition to this, the #SUNBURST malware will match the domain name of the infected machine against two regular-expression patterns of "solarwinds" and "test" network domain names. >>
These checks might indicate that the attackers not only deeply learned the source code of #SolarWinds, but also learned the topology of their networks and internal development domain names to minimize the risk that a vigilant employee will notice the anomaly >>
Their efforts to stay undetected are impressive. They carefully tested the feasibility of the attack by first deploying a backdoor without malicious capabilities, wrote their code with #SolarWinds coding style, and avoided the infection of the company's internal networks.

wow.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Itay Cohen🌱

Itay Cohen🌱 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @megabeets_

Itay Cohen🌱 Profile picture
2 Aug 18
radare2 is one of the most famous RE frameworks out there. That said, it has some great features, and Easter-eggs that very few people know in details. This is going to be a thread – fasten your seatbelts and get ready for a journey into the less-known features of @radareorg! >>
First things first, some history. The radare2 project was created by @trufae in February of 2006 to provide a free and simple command-line hexadecimal editor. Starting from a one-man-show, radare2 nowadays gathered a huge community and a substantial number of contributors >>
Since last year, @radareorg has an official GUI and it is awesome! Cutter (@r2gui) is the official cross-platform GUI of radare2 which aims to export radare2’s plenty of functionality into a user-friendly and modern GUI. Make sure to try it! github.com/radareorg/cutt… >>
Read 17 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @megabeets_ has new unrolls!

Check out other threads from @megabeets_!

Read all threads by @megabeets_