The dangerous Sunburst Trojan, believed to be linked to a Russian hacking group, has been stopped by a joint kill switch devised by a team of specialists from Microsoft, GoDaddy, and FireEye. This was reported in the security community after last week’s intrusion into SolarWinds, a business software company.
Why The Sunburst Trojan Needed To Be Stopped
A lot of information became available about the Sunburst Trojan after it was used in an intrusion attack last week against SolarWinds. The security incident against the company was reported to be done through their own application called Orion. What we know is that it is possible that the well-known Russian hacking group called APT29 (alternatively known as “Cozy Bear”) is behind it. While this is not confirmed, it is one of the likely possibilities.
This news story “broke” out of an article at The Washington Post stating that the Russian group is behind an espionage campaign targeting agencies belonging to the USA Government. While the newspaper does not explicitly name their sources, this has provoked quite a bit of research into the matter.
According to the posted information, the criminals from this hacker collective were able to infiltrate the email systems of the agencies using a malicious package that is a modified version of the SolarWinds Orion program. Apparently the criminals were using malware-infected updates to the target networks. The attack vector is possible to be the email systems, it is suspected that the agencies are using a cloud-based service network. This provides the possibility of infecting a lot of devices at once.
Orion by SolarWinds is actually a complex platform that provides network administrators with the ability to track and measure their infrastructure and supported software installations. This suite of programs and solutions is probably used by a lot of enterprise users and big corporations as well, this shows the severity of the situation. According to the information SolarWinds themselves alerted their customers, but only about half of them have obtained the Trojan-infected packages.
The main method of infiltration is the distribution of these malicious Orion updates — this is possible by hijacking a server owned by the company or using a vulnerability in the application to trigger the delivery of thee virus-infected packages. The Sunburst Trojan is a sophisticated backdoor that is designed to hijack user’s data and install itself deep into the compromised computers.
Capabilities of The Sunburst Trojan
Thanks to the captured sample of the Trojan we can give out a detailed description of its capabilities. They were analyzed in a special environment and allow the security researchers to check on what exactly it does on the compromised machines. From the results of the analysis, it is apparent that the Trojan may have been used since March 2020.
The Sunburst Trojan as a typical representative of this malware category type will hide deep in the systems. Partly due to its distribution it can be programmed to execute a wide range of dangerous actions, including system reconfiguration. It includes a mechanism designed to bypass security detection by starting itself with a big delay. This overcomes the typical filters used by anti-virus programs that presume that virus infections happen immediately after the relevant threat has been deployed on a given system. Some of the noted capabilities of the Trojan files are the following:
- Data Harvesting — Various types of information can be collected by the malware automatically, depending on how they are programmed. This can include personal user information that can be used for different types of criminal purposes: blackmail, extortion, and identity theft. This can be extended to system information, a wide array of data can be extracted: from individual operating system environment values to the used hardware devices. A special algorithm may be utilized to create a unique identifier based on the collected information.
- Windows Registry Changes — If any Registry values are modified then the users can experience performance issues, the inability to run certain services, and even data loss.
- Files Removal — Through the execution of the Trojan it can delete important files such as backups and shadow volume copies. If it tampers with the operating system files this can lead to further issues when attempting recovery.
- Additional Malware Delivery — As this virus installs itself using a sophisticated method the hackers can bundle in it other threats, including ransomware.
The Sunburst Trojan has noted many advanced mechanisms that are all part of the typical advanced behavior pattern — it can track and disable the engines of the installed security software, manipulate network traffic, and etc. Given the circumstances of its deployment, the compromised targets, and the high-level of sophistication, we can deduce that the hacking group is probably using it for detailed surveillance.
Sunburst Trojan Stopped By Kill Switch Devised By Joint Team of GoDaddy, Microsoft and FireEye
Following the discovery of the malware and given the severity of the situation a joint team of experts has devised a kill switch to stop the malware from propagating further. Experts from Microsoft, GoDaddy, and FireEye detected that a single hacker-controlled domain is operating the main command and control service. The Trojan works by masquerading network traffic and by analyzing network streams active connections can be made. The malicious commands are sent in a special format, they are referred to as “jobs”. All kinds of options are supported, including file transfer, disable system services, gather information, and so on.
This Trojan also propagates some of its traffic through virtual private networks in an attempt to hide its presence on the compromised networks. The kill switch created by three companies has allowed detecting and shut down the criminal activity of the current attack.
The kill switch will disable new infections and also block the running of previous ones by stopping the activity to the domain. However, this will not remove active agent installations or other malware that have been deployed through it. For this reason, an active deep virus scan is recommended for all computers and company networks.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: