Sunshuttle

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connections was challenging. During the analysis of Tomiris, several similarities with Sunshuttle were noted, such as both reseeding the RNG with the output of Now() before each call. On April 15, 2021, new indicators of compromise were updated, including files, domains, and C2 decoy traffic released by the Cybersecurity & Infrastructure Security Agency (CISA). The configuration data of Sunshuttle is Base64 encoded and AES-256 encrypted. When decoded and decrypted, it holds several values delimited by a "|" character, including an MD5 hash of the current timestamp calculated during execution, lower/upper limits used to generate sleep times, and values for "blend-in" traffic requests. In order to further understand this malware, Kaspersky announced a free update to their Targeted Malware Reverse Engineering class, featuring a track dedicated to reverse engineering Go malware, using Sunshuttle as an example. The hypothesis that Tomiris and Sunshuttle are connected could provide new insights into how threat actors rebuild capacities after being exposed. It's believed that the authors of Sunshuttle started developing Tomiris around December 2020, following the discovery of the SolarWinds operation, as a replacement for their compromised toolset. The earliest known sample of Tomiris appeared in February 2021, a month before Sunshuttle was revealed. While individual elements do not conclusively link Tomiris and Sunshuttle, the threat intelligence community is encouraged to reproduce this research and provide second opinions on the discovered similarities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tomiris
2
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
UNC2452
1
UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Kaspersky
State Sponso...
Outlook
Windows
t1027.002
t1059.003
T1140
t1573.001
Bitcoin
Reconnaissance
Beacon
Encrypt
Decoy
t1071.001
T1027
T1105
Backdoor
Implant
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SUNBURSTUnspecified
1
Sunburst is a highly sophisticated malware that infiltrated the SolarWinds Orion platform, an event that came to light in late 2020. The malware was embedded into the system as early as January 2019, evading detection for almost two years. The campaign was attributed to Russia's Foreign Intelligence
Kazuaris related to
1
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
Tomiris GolangUnspecified
1
Tomiris Golang is a malicious software (malware) identified by its unique SHA-256 hash, fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d. It was first introduced as a threat actor that infiltrates systems by taking over legitimate government hostnames to deploy the Tomiris Golang imp
GoldMaxUnspecified
1
GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowled
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NOBELIUMUnspecified
1
Nobelium, a threat actor linked to Russia's SVR, has been noted for its persistent and malicious activities against diplomatic entities. The group has particularly targeted French interests, as reported by ANSSI (France's National Agency for the Security of Information Systems). Their methods includ
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sunshuttle Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security Blog
CERT-EU
a year ago
Tomiris called, they want their Turla malware back
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
MITRE
a year ago
Tomiris backdoor and its connection to Sunshuttle and Kazuar
CERT-EU
10 months ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
10 months ago
IT threat evolution Q2 2023
CERT-EU
a year ago
Tomoris links to APT behind SolarWinds attack put to rest
MITRE
a year ago
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 | Mandiant