Tweet

Colin Hardy 💻

12 Jan, 6 tweets, 3 min read

#CrowdStrike have produced fascinating research into #SUNSPOT malware, which was used to implant the SUNBURST / SolarWinds backdoor.

Here are my Threat Hunting tips to:

➡️ Find the malware on disk
➡️ Find the persistence
➡️ Decrypt the log files
➡️ Find if it's running

👇

The malware exists on disk as taskhostsvc.exe

You can use the following commands to look for files on Windows

dir taskhostsvc.exe /S /B
where /r . taskhostsvc.exe

SUNSPOT used a scheduled task set to execute when the host boots

You can find Scheduled Tasks so many ways; two methods are to use Autoruns (from sysinternals) or browse the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

SUNSPOT creates an encrypted log file at the following location:

C:\Windows\Temp\vmware-vmdmp.log

Check for the presence of file using techniques above, and decrypt the file using CyberChef

Finally, the malware was known to use a Mutex to ensure it only runs one instance at a time.

You can use Handle from sysinternals to identify all mutexes on the endpoint and couple it with findstr to identify entries of interest.

Note, this specific scenario is only really applicable to SolarWinds themselves, but the same techniques can be applied across usual threat hunting scenarios.

Original research from CrowdStrike.

crowdstrike.com/blog/sunspot-m…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @cybercdh

Colin Hardy 💻

@cybercdh

3 Jan

#Zyxel announced CVE-2020-29583 fixing a backdoor admin account which gave attackers root on affected devices via SSH or web interface

If you want to examine the firmware you need to run a #known_plaintext_attack against an encrypted zip

Sounds hard; don't worry I got you... 👇

Zyxel have actually removed the backdoored firmware versions from their portal; but you can still grab the latest version or earlier versions for further inspection.

Example:

portal.myzyxel.com/my/firmwares?f…

Now, unzip the contents and you should have something like this

Read 13 tweets

Colin Hardy 💻

@cybercdh

31 Dec 20

#SUPERNOVA #SolarWinds malware is actually pretty boring. So boring in fact, I made a video.

Thread 👇

Adversaries have injected a call to a method called DynamicRun() into the existing LogoImageHandler class. An existing method, ProcessRequest() has been trojan'ed to accept 4 GET parameters passed to the Orion web API

These GET parameters are designed to contain

"code" - a blob of C# code which is then compiled
"clazz" - the name of a class which is to be instantiated
"method" - the name of a method to call within the clazz
"args" - supplied to the aforementioned method

Read 6 tweets

Colin Hardy 💻

@cybercdh

15 Dec 20

#SolarWinds #SUNBURST malware checks for a long list of security processes and services running on the endpoint to try and evade detection. It does this by hashing the lowercase process name and comparing it against hardcoded values. Thread 👇

The hashing function isn't one I'm familiar with, FNV1A, but seems pretty straight forward to understand

FireEye did a great job in brute-forcing many of the hardcoded hashes and identified a big list of security tools that the malware is checking for

github.com/fireeye/sunbur…

Read 8 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Share this page!

Colin Hardy 💻

Try unrolling a thread yourself!

More from @cybercdh

Colin Hardy 💻

Colin Hardy 💻

Colin Hardy 💻

Did Thread Reader help you today?

Like this author's thread?