#CrowdStrike have produced fascinating research into #SUNSPOT malware, which was used to implant the SUNBURST / SolarWinds backdoor.

Here are my Threat Hunting tips to:

➡️ Find the malware on disk
➡️ Find the persistence
➡️ Decrypt the log files
➡️ Find if it's running

The malware exists on disk as taskhostsvc.exe

You can use the following commands to look for files on Windows

dir taskhostsvc.exe /S /B
where /r . taskhostsvc.exe
SUNSPOT used a scheduled task set to execute when the host boots

You can find Scheduled Tasks so many ways; two methods are to use Autoruns (from sysinternals) or browse the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
SUNSPOT creates an encrypted log file at the following location:


Check for the presence of file using techniques above, and decrypt the file using CyberChef
Finally, the malware was known to use a Mutex to ensure it only runs one instance at a time.

You can use Handle from sysinternals to identify all mutexes on the endpoint and couple it with findstr to identify entries of interest.
Note, this specific scenario is only really applicable to SolarWinds themselves, but the same techniques can be applied across usual threat hunting scenarios.

Original research from CrowdStrike.


• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Colin Hardy 💻

Colin Hardy 💻 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cybercdh

3 Jan
#Zyxel announced CVE-2020-29583 fixing a backdoor admin account which gave attackers root on affected devices via SSH or web interface

If you want to examine the firmware you need to run a #known_plaintext_attack against an encrypted zip

Sounds hard; don't worry I got you... 👇
Zyxel have actually removed the backdoored firmware versions from their portal; but you can still grab the latest version or earlier versions for further inspection.


Now, unzip the contents and you should have something like this
Read 13 tweets
31 Dec 20
#SUPERNOVA #SolarWinds malware is actually pretty boring. So boring in fact, I made a video.

Thread 👇
Adversaries have injected a call to a method called DynamicRun() into the existing LogoImageHandler class. An existing method, ProcessRequest() has been trojan'ed to accept 4 GET parameters passed to the Orion web API Image
These GET parameters are designed to contain

"code" - a blob of C# code which is then compiled
"clazz" - the name of a class which is to be instantiated
"method" - the name of a method to call within the clazz
"args" - supplied to the aforementioned method Image
Read 6 tweets
15 Dec 20
#SolarWinds #SUNBURST malware checks for a long list of security processes and services running on the endpoint to try and evade detection. It does this by hashing the lowercase process name and comparing it against hardcoded values. Thread 👇
The hashing function isn't one I'm familiar with, FNV1A, but seems pretty straight forward to understand
FireEye did a great job in brute-forcing many of the hardcoded hashes and identified a big list of security tools that the malware is checking for

Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!