The #sunburst case is interesting and demonstrates how threat actors can rely on evasion techniques or defense evasion to spy on or make damage. #UnprotectProject Thread 👇
First of all, the use of the supply chain attack made the attack super stealthy and difficult to detect. This is another red flag to increase and improve trust with partners and suppliers, although it is difficult to resolve. 
#Sunburst uses the TrackProcesses() function to verify blacklisted processes and services. If an item in the blacklist is found, the loop is terminated.
The SearchServices() function will use the same method to identify the blacklisted services and disable it through the registry.
The SearchConfigurations() function is used to identify blacklisted drivers.
The connection to C2 uses the domain generation algorithm (DGA) to bypass network security as well. For each target, an avsvmcloud[.]com subdomain is created.
In the #UnprotectProject, we reference malware evasion techniques, including the one described here. It's free and open to the #infosec community. You can access to the db here unprotect.it
• • •
Missing some Tweet in this thread? You can try to
force a refresh
