Another Malware Named Sunspot Discovered That Was Used To Insert Sunburst Malware (Backdoor) In SolarWinds Cyber Attack

CrowdStrike – a cybersecurity firm that found another malware utilized by the SolarWinds attackers to infuse the backdoor in Orion software during the supply chain assault that prompted the trade-off of a few organizations and government offices. As the research moves deeper concerning the SolarWinds supply chain attack, cybersecurity specialists have uncovered a third malware that was conveyed into the software working environment to infuse the hidden backdoor into the organization’s Orion network. This discovered malware called “Sunspot” is another add-on to previously detected malwares such as Teardrop and Sunburst. Sudhakar Ramakrishna (the new CEO of SolarWinds) in an article explained “This highly sophisticated and novel code was designed to inject the SUNBURST malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams”.

While primer proof found that attackers behind the reconnaissance crusade figured out how to exploit the product construct and code marking framework of SolarWinds Orion software as ahead of schedule as October 2019 to convey the Sunburst malicious code, the most recent discoveries uncover another course of events that builds up the primary penetrate of SolarWinds network on September 4, 2019 — all did with a goal to send Sunspot.

Crowdstrike analysts in a blog stated “SUNSPOT monitors running processes for those involved in the compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code” and also mentioned that “CrowdStrike Intelligence is tracking this intrusion under the StellarParticle activity cluster”. Crowdstrike explains that they discovered the Sunspot malware with a file named taskhostsvc.exe which when installed is capable of self granting permissions of debugging and monitors the Orion workflow on the server to stay ready to take control over, it then removes the source code file and places a malicious version of source code to infuse Sunburst in Orion.

The proceeding takes place when Kaspersky scientists brought up an actual clue that displays a connection between the Sunburst and Kazuar malwares, Kazuar being a malware linked to Russian APT group Turla. The cybersecurity protection firm, notwithstanding, avoided drawing an excessive number of deductions from the similitudes, rather recommending that the covers may have been deliberately added to misdirect attribution. While the likenesses are a long way from conclusive evidence that binds the hack to Russia, U.S. government authorities a week ago officially nailed the SolarWinds supply chain attack to an enemy by stating “likely Russian in origin”.

If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.