SunBurst : APT against Solarwinds , mapped to Kill Chain

Where Comodo Engineering Talks

SunBurst : APT against Solarwinds , mapped to Kill Chain

Following the attack on FireEye, the details are revealed and the US Department of Homeland Security (DHS) has issued an Emergency Directive (ED) regarding a backdoor being exploited in SolarWinds Orion products. Several victims have been identified that has been infected using the same attack. Fireeye initiated first analysis upon the findings on their network and publish evidence that suggests this campaign has started around March 2020 and upto 18,000 organizations might be affected worldwide.

Now the campaign known as SUNBURST\Solorigate which is a sophisticated and targeted APT. Attack can be categorized as Supply Chain Attack where it is most possibly that attackers compromised Solarwinds development & build system to inject malicious code into their legitimate product called Orion. The injected code is responsible for delivery and installation of the attack vector. Microsoft published a visualization of the infection chain:

I would like to map the attack stages to the kill chain, while describing each stage in detail and how Comodo’s patented Kernel API-Virtualization technique will protect the organizations from Active Breach.


It is still unclear as to what kind of information has been gathered against Solarwinds before the actual attack, there are a couple of post regarding leaking FTP credentials belonging to Solarwinds however it is clear that planting such an attack into Solarwinds will require using significant number of attack vectors. Considering this APT is best named as Supply-Chain attack and distributed via patch packages, it’s a strong possibility that the attackers might have intruded into development process to introduce the backdoor.

Some sources like Group-IB claims that fxmsp is the initial intruder to Solarwinds network because of their posts on Exploit Forum in 2017. They have tried to sell access to the machines controlled by Solarwinds.


To our knowledge, this attack was performed without weaponizing a zero-day vulnerability. The delivery method was compromised SolarWinds Orion product which is an infrastructure monitoring and management platform for IT administrators. The attackers infiltrated into Orion business software updates and distributed properly digitally signed backdoor code into one of its legitimate core DLL : SolarWinds.Orion.Core.BusinessLayer.dll file. What we know about “Weaponization steps” are limited at this stage. I have attempted to list what we know and some possible scenarios.

  • The attackers signed their malicious version of the DLL with the SolarWinds private key, issued by Symantec.
  • The update servers might be compromised but this also requires Solarwind’s  Private key for its Code Signing Certificate to be stolen as well.
  • Attackers might compromise code-build environment, merge the malicious code into legitimate code branch and let build processes to sign the code and update servers delivers the code to victims.


Delivery method in this attack used Supply-Chain method, the malicious code has been distributed via SolarWinds Orion core DLL to various victims. Multiple malicious updates were digitally signed from March – May 2020 and posted to the SolarWinds updates website such as: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp.

Once victim’ systems applied the patch following files has been extracted appropriate Solarwinds folder.

  • CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
  • SolarWinds.Orion.Core.BusinessLayer.dll
  • OrionImprovementBusinessLayer.2.cs
  • app_web_logoimagehandler.ashx.b6031896.dll

SolarWinds.Orion.Core.BusinessLayer.dll has the main actor for the delivery, which is a backdoor code, that communicates back to C2 servers, reports the targeted domain, processes, endpoint protection systems etc. The attacker then chose if the target is a good candidate to initiate the exploitation or not. Here is a list prepared by Pervasio based on C2 DGA, where victim domain is embedded into subdomain of main C2 domain [.]avsvmcloud[.]com

As can be seen the targets are from very different verticals, from government to hospitals and banks. Hilton Grand Vacations
Amerisaf AMERISAFE, Inc. Kansas City Power and Light Company
SFBALLET San Francisco Ballet State Compensation Insurance Fund
LOGOSTEC Logostec Ventilação Industrial
ARYZTA.C ARYZTA Food Solutions BioMarin Pharmaceutical Inc.
AHCCCS.S Arizona Health Care Cost Containment System Next Generation Global Education Cree, Inc (semiconductor products) The State Bar of California Regina Public Schools Cisco Systems Professional Computer Systems City of Barrie Rhode Island Public Transit Authority UN City (Building in Denmark) Boambee Industrial Supplies (Bisco) University of Haifa SMSNET, Poland Fiscal Crisis and Management Assistance Team Wiley (publishing) Ciena (networking systems) Belkin Saskatoon Public Schools PQ Corporation
ftfcu.corp First Tech Federal Credit Union The Bank of Punjab NVidia INSEAD (non-profit, private university) Newton Public Schools American AgCredit City of Page
jarvis.lab Erich Jarvis Lab Channel 2 (Israeli TV channel) Bradford / Hammacher Remote Support Software California Department of State Hospitals Douglas Omaha Technology Commission Arizona Superior Court in Pima County Infection Prevention Society (IPS)
moncton.loc City of Moncton Alameda Health System Computer Systems Center Incorporated Steptoe & Johnson LLP
keyano.local Keyano College Kent State University Sydbank Group (Banking, Denmark) Ironform (metal fabrication) NCR Corporation Serco Asia Pacific SAP Cleveland Clinic Martin Health NSW Health Mixon Hill (intelligent transportation systems) Banco de Formosa Dublin, City in California College of the Siskiyous Walton Family Foundation Ecobank Group (Africa) Sana Biotechnology
med.ds.osd.mi US Gov Information System Hasbro (Toy company)
its.iastate.ed Iowa State University Intel
cds.capilanou. Capilano University
e-idsolutions. IDSolutions (video conferencing) Helix Water District
detmir-group.r Detsky Mir (Russian children’s retailer)
int.lukoil-int LUKOIL (Oil and gas company, Russia)
ad.azarthritis Arizona Arthritis and Rheumatology Associates Vestforbrænding Allegronet (Cloud based services, Israel) Deloitte
central.pima.g Pima County Government
city.kingston. Kingston City, Australia
staff.technion Technion – Israel Institute of Technology Sacramento Metropolitan Air Quality Management District Public Hospitals Authority, Caribbean Parametrix (Engineering)
ad.checkpoint. Check Point
corp.riotinto. Rio Tinto (Mining company, Australia)
intra.rakuten. Rakuten Robert W. Baird & Co. (Financial services)
ville.terrebonn Ville de Terrebonne
woodruff-sawyer Woodruff-Sawyer & Co., Inc.
fisherbartoninc Fisher Barton Group BancCentral Financial Services Corp. Taylor Fresh Foods NeoPhotonics (optoelectronic devices) Gloucester County
magnoliaisd.loc Magnolia Independent School District Zippertubing (Manufacturing)
milledgeville.l Milledgeville (City in Georgia)
digitalreachinc Digital Reach, Inc.
deniz.denizbank DenizBank ThoughtSpot (Business intelligence) Lufkin (City in Texas) Digital Sense (Cloud Services) W. R. Berkley Insurance Australia
christieclinic. Christie Clinic Telehealth
signaturebank.l Signature Bank
dufferincounty. Dufferin County
mountsinai.hosp Mount Sinai Hospital
securview.local Securview Victory (Video Interface technology)
weber-kunststof Weber Kunststoftechniek
parentpay.local ParentPay (Cashless Payments)
europapier.inte Europapier International AG Molson Coors Beverage Company
fujitsugeneral. Fujitsu General
cityofsacramento City of Sacramento
ninewellshospita Ninewells Hospital
fortsmithlibrary Fort Smith Public Library
dokkenengineerin Dokken Engineering
vantagedatacente Vantage Data Centers
friendshipstateb Friendship State Bank
clinicasierravis Clinica Sierra Vista
ftsillapachecasi Apache Casino Hotel
voceracommunicat Vocera (clinical communications)
mutualofomahaban Mutual of Omaha Bank


I have analyzed the sample source code, reversed and published under this repository:, exploitation code is injected into a dynamic link library named SolarWinds.Orion.Core.BusinessLayer.dll. This DLL was created by modifying the code of a legitimate component of SolarWinds Orion, and is activated by code as plugin into another Orion component, InventoryManager. This code piece below start a thread to execute the malicious injection.

This code creates a new thread which runs the Sunburst backdoor code, the entry point being the Initialize() function.

Attackers also added evasion techniques for detection. In order to evade targets’ defenses, the Sunburst DLL checks for a hard-coded list of processes, services and drivers. They have  embedded pre-calculated hashes of service names to evade. assemblyTimeStamps array hold all those hashes to evade. 

SearchServices() compares running services against a short list of hardcoded services, again using pre calculated hashes for the corresponding process filenames and Registry service subkeys.

The UpdateNotification() function also resolves the hostname. If an internal IP address is returned, execution is terminated. Attackers want to avoid running inside Solarwinds network. In either case, if a process is detected by the malware, Sunburst execution stops until next time the malicious DLL is loaded. Next run will be next update cycle of Orion software


When all the process, service and driver checks pass, either eliminating execution or non  Sunburst will proceed to the main execution loop. Where the backdoor waits 12-14 days before sending first request to the C2 server. the exact threshold is selected randomly from an interval. It checks the time continuously as background task. Then it checks for if endpoint is joined to the domain, it waits till it detects a domain to be joined. A userID is generated by computing the MD5 of a network interface MAC address, the domain name, and the registry value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid.

The backdoor uses a custom domain generation algorithm (DGA) to determine its Command and Control (C2) IP address. When communicating with the C2 server, the backdoor mimics legitimate SolarWinds OIP (Orion Improvement Program) communication.

Sunburst update() Method construct and resolve a subdomain of avsvmcloud[.]com then generate random subdomains. Subdomains are generated by userId an reversible encoding of the  local domain name, as given above most of the victim domains has been identified. Below patterns as used and concanated with the subdomains

  • subdomain[.][.]avsvmcloud[.]com
  • subdomain[.][.]avsvmcloud[.]com
  • subdomain[.][.]avsvmcloud[.]com
  • subdomain[.][.]avsvmcloud[.]com


Once a domain has been resolved by a generated CNAME, DLL will start a new thread calling HttpHelper.Initialize to manage the C2 communication, HTTPHelper uses HTTP-GET or POST requests to communicate with C2 and getting commands. HTTP header is be set to “application/octet-stream” otherwise to “application/json” so that a JSON payload is shared between command server.

ExecuteEngine() function does main execution of commands sent by the server here are list of available commands

Exit Terminate.
SetTime Sets the delay time between main event loop
CollectSystemDescription get local system information such as hostname, username, OS version, MAC addresses, IP address, etc.
UploadSystemDescription Send system description via HTTP request
RunTask Execute new process by given parameters
GetProcessByDescription Get all or filter running process descriptions
KillTask Terminate process given by PID
GetFileSystemEntries Get list of files and directories
WriteFile Open or append a file to write given content encoded Base64
FileExists Check if file exists
DeleteFile Delete file given as parameter
GetFileHash Compute MD5 of a given file path
ReadRegistryValue Read registry value
SetRegistryValue Write to registry value
DeleteRegistryValue Delete Registry value
GetRegistrySubKeyAndValueNames   Get the registry value
Reboot Reboot the endpoint

Action on Objectives

The final step of APT is post intrusion activities like dropping payloads for privilege escalation, stealing data, lateral movement and persistence, upto now we have identified following payloads IoC : SHA1

  • 1b476f58ca366b54f34d714ffce3fd73cc30db1a
  • 2f1a5a7411d015d01aaee4535835400191645023
  • 5e643654179e8b4cfe1d3c1906a90a4c8d611cea
  • 75af292f34789a1c782ea36c7127bf6106f595e8
  • 76640508b1e7759e548771a5359eaed353bf1eec
  • d130bd75645c2433f88ac03e73395fba172ef676
  • e1ebab8ed84dc10b95a1f68c812ecbf6d8f350f8
  • ebe711516d0f5cd8126f4d53e375c90b7b95e8f2

All of them are either TEARDROP which is dropper and used in memory decoding Cobalt Strike Beacon  or Cobalt Strike Beacon  payload itself.  TEARDROP samples first reads a fake image file named “gracious_truth.jpg” and decode an embedded Cobalt Strike Beacon payload.

From here, any post-intrusion activities can begin including lateral movement, privilege escalation, accessing and stealing data, and establishing further persistence. Some of the lateral movement activities that is collected from the victims are reported by Microsoft and Volexity are given below:

The attacker used PowerShell to create new tasks on remote machines:

$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”);$task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done”

They also attempted this on a number of machines using schtasks.exe directly. For example:

C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]

How Kernel-API Virtualization can eliminate Active Breach for SunBurst

Comodo’s Kernel API Virtualization technique is a unique protection technique for any type of Active Breach even with Supply-Chain type of attack that we saw in SolarWinds case. As stated above due to the exploit being distributed from the vendor itself, there is nothing much to do up until installation stage. The malicious code inside the legitimate application Orion will be executed anyway, it will create backdoor and start C2 communication to the backend systems. As above listed the communication also mimic as legitimate Orion communication pattern. It is almost impossible to detect the communication at that stage.

However when we came to the active breach stage where the attacker need to persist the attack and do lateral movement. He needs to employ other sources of malware like droppers, beacons, sniffers. In Solarwinds case, they have used TearDrop and Cobalt Strike Beacon for such purposes. There Comodo’s Default Deny and Zero Trust methodology eliminate such malicious code to be executed. Kernel API Virtualization, is a key to prevent and block Active Breach at Action on Objectives, we have introduced 5 main virtualization components that filters any relevant Kernel calls or callbacks. File System, Registry, Kernel Object, Service and DCOM/RPC are main virtualization components that runs both user and kernel mode and handle necessary interrupts and implement all necessary filter drivers to fulfill the requests. So any malicious code will not have unfettered access to the real operating system, privilege escalation or persistence wont be possible.

By our containment policies we also do not allow any unknown files to create socket for any type of network communication. Any file that triggers Kernel Virtualization will not be able to create socket or network communication, based on policies chosen. We don’t have to worry about decoding the protocols, identification of non-standard port usage or protocol tunneling, we simply deny all communication if the file is contained in our virtualization, and it will be contained till a final verdict is given from our Valkyrie File Verdict System. If the file is safe, then we allow it to create sockets for network communications. This makes us unique in where creating a C&C channel is not possible with any kind of Attack and evasion techniques stated above and also we eliminate lateral movement techniques such as using SMB or WMI to communicate with other endpoints or domain servers.

Here in this video, I have used all dropped files from Sunburst campaign, most of them are related by TearDrop and Cobalt Strike Beacon, there you can see only 2 of them are put into virtualization where the rest has been blocked immediately. The IoC: SHA1:395da6d4f3c890295f7584132ea73d759bd9d094 has been blocked after initial analysis in Containment and our Valkyrie File Verdict system where the other runs in containment, Kernel API virtualization eliminates any threat coming from those fikes.

Leave a Reply

Your email address will not be published. Required fields are marked *