The threat group behind the attack on SolarWinds used a piece of malware named Sunspot to inject the previously analyzed Sunburst backdoor into the Orion product without being detected.
SolarWinds said the attackers created trojanized Orion updates containing the Sunburst backdoor and delivered them to as many as 18,000 customers. However, it appears that only a few hundred of those customers were of interest to the attackers and received secondary payloads, such as the post-exploitation tool named Teardrop.
Sunspot is designed to check every second for the presence of processes associated with the compilation of the Orion product on the compromised system. If such a process is detected, Sunspot replaces a single source code file to include the Sunburst backdoor.
Sunspot looks for the MsBuild.exe process, which is associated with Microsoft Visual Studio development tools. If the process is detected, it attempts to determine if it’s being used to build Orion software.
“When SUNSPOT finds the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built,” CrowdStrike explained. “While SUNSPOT supports replacing multiple files, the identified copy only replaces InventoryManager.cs.”
The attackers sanitized the Sunburst source code and took other steps to increase their chances of avoiding detection by SolarWinds.The malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are protected using the same key and initialization vector
The U.S. government said it was likely Russia and some reports claimed it may have been the Russia-linked threat group known as APT29 and Cozy Bear. However, CrowdStrike says it currently does not attribute any of the malware used in the SolarWinds attack to a known threat actor, and it has decided to track the campaign as an activity cluster named StellarParticle.