The latest info trickled out about Solarwinds comes from Microsoft, released details of its analysis of the tactics used by the threat actors to activate a second-stage payload for downloading the Cobalt Strike attack kit on infected systems.
The methodology of the attack chain has been unclear up until now and is significant because it reveals the extent to which the attackers went to ensure operational security.
The missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader evading the detection
The threat actors were actually interested in only a small subset of the organizations that had unintentionally downloaded the Solorigate/SUNBURST backdoor.
The backdoor communicated with a remote C2C and downloaded second-stage malware dubbed “Raindrop” by Symantec and “Teardrop” by FireEye . The attackers then used Raindrop/Teardrop to download the Cobalt Strike attack kit that gave them a way to gain full control of the compromised environment and enabled lateral movement and privilege escalation.
The attackers achieved this by using a known MITRE attack method called event triggered execution, where malicious code is executed on a host system when a specific process is launched.
The threat actors used the SolarWinds process to create a so-called Image File Execution Options (IEFO) registry value for running the malicious VBScript file when the dllhost dot exe process is executed on the infected system. The dllhost dot exe process is a legitimate Windows process for launching other applications and systems.
When triggered, the VBScript then runs another executable that activates the Cobalt Strike DLL in a process that is completely disconnected and separate from the SolarWinds process. The VBScript then also deletes the IEFO registry value and other traces of the sequence of events that happened.