Sunshuttle

Malware updated 4 days ago (2024-11-29T14:13:13.335Z)
Download STIX
Preview STIX
Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connections was challenging. During the analysis of Tomiris, several similarities with Sunshuttle were noted, such as both reseeding the RNG with the output of Now() before each call. On April 15, 2021, new indicators of compromise were updated, including files, domains, and C2 decoy traffic released by the Cybersecurity & Infrastructure Security Agency (CISA). The configuration data of Sunshuttle is Base64 encoded and AES-256 encrypted. When decoded and decrypted, it holds several values delimited by a "|" character, including an MD5 hash of the current timestamp calculated during execution, lower/upper limits used to generate sleep times, and values for "blend-in" traffic requests. In order to further understand this malware, Kaspersky announced a free update to their Targeted Malware Reverse Engineering class, featuring a track dedicated to reverse engineering Go malware, using Sunshuttle as an example. The hypothesis that Tomiris and Sunshuttle are connected could provide new insights into how threat actors rebuild capacities after being exposed. It's believed that the authors of Sunshuttle started developing Tomiris around December 2020, following the discovery of the SolarWinds operation, as a replacement for their compromised toolset. The earliest known sample of Tomiris appeared in February 2021, a month before Sunshuttle was revealed. While individual elements do not conclusively link Tomiris and Sunshuttle, the threat intelligence community is encouraged to reproduce this research and provide second opinions on the discovered similarities.
Description last updated: 2024-05-04T16:46:33.007Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tomiris is a possible alias for Sunshuttle. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Kaspersky
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Sunshuttle Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more