Threat Signal ReportUS-CERT and US Cyber Command Joint Malware Analysis Report (MAR) on SUNSHUTTLE/GoldMax and SOLARFLARE/GoldFinder Malware
Description
Today, on April 15th, US-CERT released a Malware Analysis Report (MAR) in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF) of U.S. Cyber Command titled: "MAR-10327841-1.v1 - SUNSHUTTLE "
The MAR provides in depth analysis of artifacts that are related to a report dubbed SUNSHUTTLE from FireEye earlier this month, which in turn is related to the SolarWinds supply chain attack of December 2020, specifically attacks on the Orion network management software. SolarWinds is an IT infrastructure management company based in the United States. This attack has been linked to state-sponsored attackers who were able to upload malicious code to SolarWind's Orion IT monitoring and management software update system, thereby infecting unsuspecting victims when they updated their SolarWinds Orion platform software. The SolarWinds Orion platform allows IT administrators an all-in-one management solution for SolarWinds products.
According to their website, SolarWinds provides IT infrastructure management software solutions for 425 of the top Fortune 500 companies. SolarWinds also has many global customers in multiple verticals outside of the Fortune 500, including government, telecom, education and others.
For further details, including FortiGuard Labs coverage of all SolarWinds related issues, please refer to the following Threat Signals listed below:
- Latest CISA Malware Analysis Report for SolarWinds Activity (TEARDROP)
- Latest CISA Malware Analysis Report for SolarWinds Activity (SUPERNOVA)
- Supply Chain Attack on SolarWinds Orion Platform Affecting Multiple Organizations Worldwide (APT29)
- FireEye Internal Penetration Testing Tools Stolen by Russian Threat Actors (APT29)
What are the Technical Details of the Threat?
18 files were reported in this MAR:
7 files are PE files that contain instructions to connect to predetermined C2 servers via HTTPS.
3 files are written in Golang which makes analysis even more difficult, and were identified in a previous report by FireEye in early March of this year, dubbed SUNSHUTTLE.
6 files are VBS files that contain various instructions including adding Windows registry keys to store and execute an obfuscated VBScript. This VBScript ultimately contained an instruction to download and execute a payload from a predetermined C2 server.
1 file was a configuration file used by SUNSHUTTLE specifically.
1 file was the China Chopper webshell used for redundancy purposes. It allowed the attacker to still maintain a connection to the victim if the SUNSHUTTLE file was caught by an endpoint detection solution.
How Serious of an Issue is This?
HIGH.
Is the China Chopper webshell the same webshell used by the APT group HAFNIUM?
Yes. However, US-CERT makes an important distinction in this MAR:
How Widespread is this Attack?
Global. Attacks have been observed to target multiple verticals and targets worldwide.
What is the Status of Coverage?
FortiGuard Labs has the following (AV) signatures in place for publicly available samples:
Malicious_Behavior.SB
W32/Agent.AE!tr
W64/Sunshuttle.AE!tr
W64/Sunshuttle.IQJ!tr.bdr
For FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.
All network IOC's are blocked by the Web Filtering client.
Any Other Suggested Mitigation?
Please refer to the SolarWinds FAQ: Security Advisory for suggested mitigation in the APPENDIX.
