Hacking

Sunshuttle, the fourth malware allegedly linked to SolarWinds hack

FireEye researchers spotted a new sophisticated second-stage backdoor that was likely linked to threat actors behind the SolarWinds hack.

Malware researchers at FireEye discovered a new sophisticated second-stage backdoor, dubbed Sunshuttle, while analyzing the servers of an organization that was compromised as a result of the SolarWinds supply-chain attack.

The new malware is dubbed Sunshuttle, and it was “uploaded by a U.S.-based entity to a public malware repository in August 2020.”

“Mandiant Threat Intelligence discovered a sample of the SUNSHUTTLE backdoor uploaded to an online multi-Antivirus scan service.” reads the analysis published by Fireeye. “SUNSHUTTLE is a backdoor, written in GO, that reads an embedded or local configuration file, communicates with its C2 server over HTTPS and supports commands including remotely updating its configuration, file upload and download, and arbitrary command execution.”

The SUNSHUTTLE backdoor was likely developed to conduct network reconnaissance alongside other SUNBURST-related tools.

Mandiant researchers discovered the SUNSHUTTLE backdoor on a system of a victim compromised by UNC2452, and believe that it is linked to this threat actor.

Experts pointed out that the SUNSHUTTLE malware was not observed using any trick to gain persistence, this means that the persistence is likely set outside of the execution of this backdoor.

The SUNSHUTTLE backdoor communicates with C2 servers passing it the values in the cookie header.

“SUNSHUTTLE uses the cookie header to pass values to the C2.” continues FireEye. “Additionally, a referrer is selected from the following list, presumably to make the traffic blend in if traffic is being decrypted for inspection:

  • www.bing.com
  • www.yahoo.com
  • www.google.com
  • www.facebook.com

The cookie headers vary slightly depending on the operation being performed.”

Technical details and Indicators of compromise(IoCs) for this backdoor are included in the report published by FireEye.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

The post Sunshuttle, the fourth malware allegedly linked to SolarWinds hack appeared first on Security Affairs.

Security Affairs

Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you - we provide immediate support for all your needs!

chevron_left
chevron_right
Send us a WhatsApp!