Feds Find More Malware Tied to SolarWinds Supply Chain Compromise

April 20, 2021 - Russian-based nation-state threat actors were recently tied to two newer malware variants leveraging the widespread SolarWinds Orion supply chain compromise for a host of nefarious activities, according to a recent alert from the Cybersecurity and Infrastructure Security Agency and the Cyber National Mission Force of US. Cyber Command.

The malware variants are referred to as SUNSHUTTLE and SOLARFLARE, which have been attributed to the Russian Foreign Intelligence Service. The joint alert preceded another federal agency warning that Russian-backed attackers were targeting five known vulnerabilities.

The federal researchers identified 18 malicious samples and artifacts associated with the massive SolarWinds incident first disclosed in December. The analyzed samples include backdoor trojans, downloaders, and bots, among other threats.

Seven of the analyzed files are executables that attempt to connect to hard-coded command-and-control (C2) servers through the HTTPS on port 443, which then awaits a response after execution.

There are also three executables written in Golang and packed through the Ultimate Packer for Executables. FireEye researchers identified the variants as SOLARFLARE malware. Another four executables written in Golang were identified as SUNSHUTTLE, with one appearing as a configuration file for the variant.

Further, six of the malicious files were Visual Basic Script (VBScript), identified as MISPRINT/SIBOT. The files were designed to add Windows registry keys, then stored and executed within a hidden VBScript for downloading and executing the malicious payload from the C2 server.

One analyzed file was identified as a China Chopper webshell server-side component, observed on a network with an active SUNSHUTTLE infection. The exploit is able to hand an attacker an alternative method of accessing a vulnerable network, even if the victim remediated the SUNSHUTTLE infection.

The report provides network administrators with analysis into each discovered executable, including indicators of compromise.

For example, one 64-bit Windows executable file written in Golang is designed to scan for servers and network redirectors, including network security devices between compromised systems and the C2 server.

Once executed, the malicious file attempts to connect to its C2 server through the HTTPS port on 443. When connected, it logs all of the HTTP request and response information from and to the hard-coded C2 in plaintext. The malware uses hard-coded labels to store the request and response information to the log files.

Another Golang executable identified asF2.exe, an offshoot of a similarly named environmental analysis tool used in tandem with SOLARFLARE/GoldFinder malware. The variant checks the network capabilities of the victim’s device to identify as a host for a future platform, SUNSHUTTLE/GoldMax.

“Upon execution, it reaches out to the hard-coded domain nikeoutletinc.org over port 443 while also creating a file in its running directory called ‘loglog.txt,’ officials explained. “As it receives a 200 OK from the specified domain, the details of the response are appended to the ‘loglog.txt’ file and the executable exits.” 

“This connection is using HTTPS TLSv1.2 for encryption. After running, f2.exe closes and does not have persistence to run itself,” they added. “This tool is meant to generate innocent-looking traffic to prod the network defense posture and determine whether the infected host is able to reach out to the internet.”

Upon execution, the attackers use another “finder” to determine connectivity to the C2 domain. What’s worse, the file doesn’t need administrator privileges to launch.

To mitigate the threat, the federal researchers urged entities to review the report and assess their systems for indicators of compromise. NIST malware guidance can also shed light on basic best practice defense and response measures.

CISA previous shared remediation and risk guidance for the initial SolarWinds Compromise, as well as a post-threat activity tool.

CISA also provided recommendations for needed security measures, including up-to-date antivirus signatures and software updates, disabling file and printing share services or using Active Directory authentication, restricting permissions for installing or running applications, and enforcing strong password policies across the enterprise.

As always, employee education around security policies, potential threats, and email risk is a critical piece of any best practice security program.