SUNSPOT

Sunspot is a sophisticated and novel malware associated with the SolarWinds intrusion that occurred in December 2020. This malicious software, linked to COZY BEAR (also known as APT29 or "The Dukes"), infiltrates systems undetected, often through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The Sunspot malware cleverly masquerades as a legitimate Windows Binary, monitoring running processes for instances of MsBuild.exe, and writing its logs in a fake VMWare log file, making detection and mitigation particularly challenging. This malware's entry point was added to the legitimate Orion software RefreshInternal function, enabling it to monitor the execution of a SolarWinds build and insert malicious code during any such execution. If the decryption of the parameters is successful and if the MD5 checks pass, Sunspot proceeds with the replacement of the source file content. In one example, the MD5 hash for the backdoored source code was identified as 5f40b59ee2a9ac94ddb6ab9e3bd776ca. The configuration in Sunspot is encrypted using AES128-CBC, while the log file it writes is encrypted using RC4, further complicating efforts to understand and combat this threat. Since the initial discovery of Sunspot, the security community has identified an expanding collection of payloads attributed to the actor, including GoldMax, GoldFinder, Sibot, TEARDROP, Raindrop, and most recently, FLIPFLOP. These discoveries were made possible through collaborative efforts by several cybersecurity firms, including CrowdStrike, Microsoft, FireEye, Symantec, and KPMG. The persistent presence and cunning nature of Sunspot, along with its focus on the build process during a major supply chain attack, make it comparable only to the CozyDuke/DarkHalo/APT29/NOBELIUM SolarWinds compromise.