Sunshuttle

Malware updated 4 months ago (2024-05-04T17:53:28.300Z)
Download STIX
Preview STIX
Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connections was challenging. During the analysis of Tomiris, several similarities with Sunshuttle were noted, such as both reseeding the RNG with the output of Now() before each call. On April 15, 2021, new indicators of compromise were updated, including files, domains, and C2 decoy traffic released by the Cybersecurity & Infrastructure Security Agency (CISA). The configuration data of Sunshuttle is Base64 encoded and AES-256 encrypted. When decoded and decrypted, it holds several values delimited by a "|" character, including an MD5 hash of the current timestamp calculated during execution, lower/upper limits used to generate sleep times, and values for "blend-in" traffic requests. In order to further understand this malware, Kaspersky announced a free update to their Targeted Malware Reverse Engineering class, featuring a track dedicated to reverse engineering Go malware, using Sunshuttle as an example. The hypothesis that Tomiris and Sunshuttle are connected could provide new insights into how threat actors rebuild capacities after being exposed. It's believed that the authors of Sunshuttle started developing Tomiris around December 2020, following the discovery of the SolarWinds operation, as a replacement for their compromised toolset. The earliest known sample of Tomiris appeared in February 2021, a month before Sunshuttle was revealed. While individual elements do not conclusively link Tomiris and Sunshuttle, the threat intelligence community is encouraged to reproduce this research and provide second opinions on the discovered similarities.
Description last updated: 2024-05-04T16:46:33.007Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tomiris
2
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Kaspersky
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Sunshuttle Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
2 years ago
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security Blog
CERT-EU
a year ago
Tomiris called, they want their Turla malware back
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
MITRE
2 years ago
Tomiris backdoor and its connection to Sunshuttle and Kazuar
CERT-EU
a year ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
a year ago
IT threat evolution Q2 2023
CERT-EU
a year ago
Tomoris links to APT behind SolarWinds attack put to rest
MITRE
2 years ago
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 | Mandiant