FireEye found a brand new “refined second-stage backdoor” on the servers of a corporation compromised by the risk actors behind the SolarWinds supply-chain assault.
The brand new malware is dubbed Sunshuttle, and it was “uploaded by a U.S.-based entity to a public malware repository in August 2020.”
FireEye researchers Lindsay Smith, Jonathan Leathery, and Ben Learn consider Sunshuttle is linked to the risk actor behind the SolarWinds supply-chain assault.
“Mandiant noticed SUNSHUTTLE at a sufferer compromised by UNC2452, and have indications that it’s linked to UNC2542, however we’ve got not totally verified this connection,” FireEye stated.
Sunshuttle is GO-based malware that includes detection evasion capabilities. For the time being, the an infection vector used to put in the backdoors just isn’t but recognized, however it’s “most certainly” dropped as a second-stage backdoor.
“The brand new SUNSHUTTLE backdoor is a complicated second-stage backdoor that demonstrates simple however elegant detection evasion strategies through its “blend-in” visitors capabilities for C2 communications,” FireEye added.
“SUNSHUTTLE would perform as a second-stage backdoor in such a compromise for conducting community reconnaissance alongside different SUNBURST-related instruments.”
New weblog from @jonleathery and @LindsaySmithDC on SUNSHUTTLE, a full featured backdoor written in Go, that we expect is linked to UNC2452. Monitoring this can be a workforce effort with our IR, FLARE and AP groups doing nice work.https://t.co/dr7DwHRh71
— Ben Learn (@bread08) March 4, 2021
Fourth malware linked to SolarWinds hackers
If the connection made by FireEye with the state hackers behind the SolarWinds hack checks out, Sunshuttle can be the fourth malware discovered whereas investigating the supply-chain assault.
CrowdStrike discovered the Sunspot malware used to inject backdoors in Orion platform builds after being dropped by within the improvement atmosphere of SolarWinds’ Orion IT administration software program.
The Sunburst (Solorigate) backdoor malware was deployed throughout second-stage assaults on the programs of organizations utilizing trojanized Orion builds through the platform’s built-in automated replace mechanism.
FireEye discovered a 3rd malware named Teardrop, a beforehand unknown memory-only dropper and a post-exploitation device the attackers used to deploy personalized Cobalt Strike beacons.
A fourth malware, dubbed SuperNova, not linked to UNC2452 but in addition delivered utilizing trojanized Orion builds, was found by Palo Alto Networks Unit 42 and Microsoft whereas investigating the supply-chain assault.
Earlier this week, SolarWinds reported expenses of $3.5 million incurred after the assault, together with incident investigation and remediation prices.