MAR-10318845-1.v1 - SUNBURST | CISA
Tags
| cmtmf-attack-pattern: | Supply Chain Compromise |
| country: | Russia |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Domains - T1583.001 Domains - T1584.001 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Supply Chain Compromise - T1474 Vulnerabilities - T1588.006 Whois - T1596.002 Supply Chain Compromise - T1195 Supply Chain Compromise |
Common Information
| Type | Value |
|---|---|
| UUID | d129680e-c2c9-43e8-8ae7-1ade989a1fb8 |
| Fingerprint | 7c178b654f6ffca7 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 8, 2021, midnight |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 17, 2024, 5:57 p.m. |
| Headline | Malware Analysis Report (AR21-039A) |
| Title | MAR-10318845-1.v1 - SUNBURST | CISA |
| Detected Hints/Tags/Attributes | 67/4/25 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 154 | us-cert.cisa.gov |
|
| Details | Domain | 469 | www.cisa.gov |
|
| Details | Domain | 145 | www.us-cert.gov |
|
| Details | Domain | 1 | solarwinds.orion.core.business |
|
| Details | Domain | 50 | avsvmcloud.com |
|
| Details | Domain | 6 | www.surveymonkey.com |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 29 | orion.core |
|
| Details | File | 26 | businesslayer.dll |
|
| Details | md5 | 7 | b91ce2fa41029f6955bff20079468448 |
|
| Details | md5 | 5 | 846e27a652a5e1bfbd0ddd38a16dc865 |
|
| Details | sha256 | 13 | 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 |
|
| Details | sha256 | 12 | 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 |
|
| Details | sha256 | 10 | ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 |
|
| Details | sha256 | 9 | d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 |
|
| Details | Url | 3 | https://us-cert.cisa.gov/remediating-apt-compromised-networks |
|
| Details | Url | 4 | https://www.cisa.gov/supply-chain-compromise. |
|
| Details | Url | 42 | http://www.us-cert.gov/tlp. |
|
| Details | Url | 2 | https://www.surveymonkey.com/r/g8stdry |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 1 | rule CISA_10318927_01 : trojan rat SOLAR_FIRE {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10318927"
Date = "2020-12-13"
Last_Modified = "20201213_2145"
Actor = "n/a"
Category = "TROJAN RAT"
Family = "SOLAR_FIRE"
Description = "This signature is based off of unique strings embedded within the modified Solar Winds app"
MD5_1 = "b91ce2fa41029f6955bff20079468448"
SHA256_1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77"
MD5_2 = "846e27a652a5e1bfbd0ddd38a16dc865"
SHA256_2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6"
strings:
$s0 = { 63 00 30 00 6B 00 74 00 54 00 69 00 37 00 4B 00 4C 00 43 00 6A 00 4A 00 7A 00 4D 00 38 00 44 }
$s1 = { 41 00 41 00 3D 00 3D 00 00 21 38 00 33 00 56 00 30 00 64 00 6B 00 78 00 4A 00 4B 00 55 }
$s2 = { 63 00 2F 00 46 00 77 00 44 00 6E 00 44 00 4E 00 53 00 30 00 7A 00 4B 00 53 00 55 00 30 00 42 00 41 00 41 00 3D 00 3D }
$s3 = { 53 00 69 00 30 00 75 00 42 00 67 00 41 00 3D 00 00 21 38 00 77 00 77 00 49 00 4C 00 6B 00 33 00 4B 00 53 00 79 00 30 00 42 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule FireEye_20_00025668_01 : SUNBURST APT backdoor {
meta:
Author = "FireEye"
Date = "2020-12-13"
Last_Modified = "20201213_1917"
Actor = "n/a"
Category = "Backdoor"
Family = "SUNBURST"
Description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
MD5_1 = ""
SHA256_1 = ""
strings:
$cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide
$cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }
$fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide
$fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }
$fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide
$fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C }
$fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide
$fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }
$fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }
condition:
$fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or (($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain))
} |
|
| Details | Yara rule | 1 | rule FireEye_20_00025668_02 : SUNBURST APT backdoor {
meta:
Author = "FireEye"
Date = "2020-12-13"
Last_Modified = "20201213_1917"
Actor = "n/a"
Category = "Backdoor"
Family = "SUNBURST"
Description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
MD5_1 = ""
SHA256_1 = ""
strings:
$a = "0y3Kzy8BAA==" wide
$aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide
$ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide
$ac = "C88sSs1JLS4GAA==" wide
$ad = "C/UEAA==" wide
$ae = "C89MSU8tKQYA" wide
$af = "8wvwBQA=" wide
$ag = "cyzIz8nJBwA=" wide
$ah = "c87JL03xzc/LLMkvysxLBwA=" wide
$ai = "88tPSS0GAA==" wide
$aj = "C8vPKc1NLQYA" wide
$ak = "88wrSS1KS0xOLQYA" wide
$al = "c87PLcjPS80rKQYA" wide
$am = "Ky7PLNAvLUjRBwA=" wide
$an = "06vIzQEA" wide
$b = "0y3NyyxLLSpOzIlPTgQA" wide
$c = "001OBAA=" wide
$d = "0y0oysxNLKqMT04EAA==" wide
$e = "0y3JzE0tLknMLQAA" wide
$f = "003PyU9KzAEA" wide
$h = "0y1OTS4tSk1OBAA=" wide
$i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide
$j = "c8rPSQEA" wide
$k = "c8rPSfEsSczJTAYA" wide
$l = "c60oKUp0ys9JAQA=" wide
$m = "c60oKUp0ys9J8SxJzMlMBgA=" wide
$n = "8yxJzMlMBgA=" wide
$o = "88lMzygBAA==" wide
$p = "88lMzyjxLEnMyUwGAA==" wide
$q = "C0pNL81JLAIA" wide
$r = "C07NzXTKz0kBAA==" wide
$s = "C07NzXTKz0nxLEnMyUwGAA==" wide
$t = "yy9IzStOzCsGAA==" wide
$u = "y8svyQcA" wide
$v = "SytKTU3LzysBAA==" wide
$w = "C84vLUpOdc5PSQ0oygcA" wide
$x = "C84vLUpODU4tykwLKMoHAA==" wide
$y = "C84vLUpO9UjMC07MKwYA" wide
$z = "C84vLUpO9UjMC04tykwDAA==" wide
condition:
($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))
} |