Kyle Hanslovan Profile picture
Malware Connoisseur. Ethical Hacker. CEO at @HuntressLabs. Open DMs.
Mar 6, 2021 9 tweets 5 min read
It's way too early to tell (especially on a Friday night), but we've got one of our recent webshell victims also pulling down shady PoSh from @digitalocean hosted domains. Image hxxp://p.estonine[.]com/p?e currently resolves to IP 188.166.162.201. Pulls down base64 blob that decodes to the additional downloader. gist.github.com/KyleHanslovan/… Image
Dec 15, 2020 7 tweets 4 min read
LOTS of folks asked me about the sophistication of these attacks, the response actions I expect will happen, and the always fun attribution. This thread will cover those topics. (cue scary political hacker image) Starting w/the #SUNBURST backdoor, the actor's approach to hiding source code in plain sight was simple/classy. They studied Orion's code and naming conventions to make sure even SolarWinds devs would not take immediate notice. OrionImprovementBusinessLayer does not stand out.
Dec 14, 2020 7 tweets 6 min read
Was just shown the SolarWinds.Orion.Core.BusinessLayer.dll is included in n-Central's Probe installer by @KelvinTegelaar. WindowsProbeSetup.exe is signed by the same certificate. However the DLL backdoored with #SUNBURST is not signed and appears to be a 2014 version. #Looking The unsigned SolarWinds.Orion.Core.BusinessLayer.dll binary from my copy of the Windows probe installer had hash B9CE678F9DAF32C526211EDEA88B5EC104538C75FAD13767EA44309E9F81DBFC. No OrionImprovementBusinessLayer class within this version (comparison screens attached).
Dec 14, 2020 6 tweets 4 min read
One of the anomalous #SUNBURST DLLs from October 2019 that Microsoft highlighted can be found in the SolarWinds Coreinstall.msi for 2019.4.5220.20161 - hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20161/CoreInstaller.msi ImageImage Malicious #SUNBURST DLL CE77D116A074DAB7A22A0FD4F2C1AB475F16EEC42E1DED3C0B0AA8211FE858D6 from May 2020 can be found in CoreInstaller.msi for 2020.2.5320.27438 -hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2020.2/2020.2.5320.27438/CoreInstaller.msi ImageImage
Dec 14, 2020 16 tweets 8 min read
Only 1 / 67 antivirus engines list SUNBURST backdoor as malicious - SolarWinds.Orion.Core.BusinessLayer.dll virustotal.com/gui/file/32519… #SUNBURST #UNC2452 Image SolarWinds' digital certificate hasn't been revoked yet. Image
Feb 17, 2019 13 tweets 10 min read
EMOTET ANALYSTS: Everyday, our team sees 5-15 clients networks wrecked by Emotet. Cleanup/response can take 3d - 3mo depending on IT department skills, tools, and telemetry. We’re creating a “synchronized” removal capability and could use additional perspective. 1/x We know the core of lateral movement for Emotet, TrickBot, Qakbot, etc. is abusing of elevated creds/tokens, standard local admin passwords, and MS17-010 for poorly maintained networks. With these, payloads are dropped to remote shares via SMB & started via remote services. 2/x