Sunshuttle

Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connections was challenging. During the analysis of Tomiris, several similarities with Sunshuttle were noted, such as both reseeding the RNG with the output of Now() before each call. On April 15, 2021, new indicators of compromise were updated, including files, domains, and C2 decoy traffic released by the Cybersecurity & Infrastructure Security Agency (CISA). The configuration data of Sunshuttle is Base64 encoded and AES-256 encrypted. When decoded and decrypted, it holds several values delimited by a "|" character, including an MD5 hash of the current timestamp calculated during execution, lower/upper limits used to generate sleep times, and values for "blend-in" traffic requests. In order to further understand this malware, Kaspersky announced a free update to their Targeted Malware Reverse Engineering class, featuring a track dedicated to reverse engineering Go malware, using Sunshuttle as an example. The hypothesis that Tomiris and Sunshuttle are connected could provide new insights into how threat actors rebuild capacities after being exposed. It's believed that the authors of Sunshuttle started developing Tomiris around December 2020, following the discovery of the SolarWinds operation, as a replacement for their compromised toolset. The earliest known sample of Tomiris appeared in February 2021, a month before Sunshuttle was revealed. While individual elements do not conclusively link Tomiris and Sunshuttle, the threat intelligence community is encouraged to reproduce this research and provide second opinions on the discovered similarities.