The #sunburst case is interesting and demonstrates how threat actors can rely on evasion techniques or defense evasion to spy on or make damage. #UnprotectProject Thread 👇
First of all, the use of the supply chain attack made the attack super stealthy and difficult to detect. This is another red flag to increase and improve trust with partners and suppliers, although it is difficult to resolve.
#Sunburst uses the TrackProcesses() function to verify blacklisted processes and services. If an item in the blacklist is found, the loop is terminated.
The SearchServices() function will use the same method to identify the blacklisted services and disable it through the registry.
The SearchConfigurations() function is used to identify blacklisted drivers.
The connection to C2 uses the domain generation algorithm (DGA) to bypass network security as well. For each target, an avsvmcloud[.]com subdomain is created.
In the #UnprotectProject, we reference malware evasion techniques, including the one described here. It's free and open to the #infosec community. You can access to the db here unprotect.it

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Thomas Roccia 🤘

Thomas Roccia 🤘 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!