SUNSPOT

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Sunspot is a sophisticated and novel malware associated with the SolarWinds intrusion that occurred in December 2020. This malicious software, linked to COZY BEAR (also known as APT29 or "The Dukes"), infiltrates systems undetected, often through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The Sunspot malware cleverly masquerades as a legitimate Windows Binary, monitoring running processes for instances of MsBuild.exe, and writing its logs in a fake VMWare log file, making detection and mitigation particularly challenging. This malware's entry point was added to the legitimate Orion software RefreshInternal function, enabling it to monitor the execution of a SolarWinds build and insert malicious code during any such execution. If the decryption of the parameters is successful and if the MD5 checks pass, Sunspot proceeds with the replacement of the source file content. In one example, the MD5 hash for the backdoored source code was identified as 5f40b59ee2a9ac94ddb6ab9e3bd776ca. The configuration in Sunspot is encrypted using AES128-CBC, while the log file it writes is encrypted using RC4, further complicating efforts to understand and combat this threat. Since the initial discovery of Sunspot, the security community has identified an expanding collection of payloads attributed to the actor, including GoldMax, GoldFinder, Sibot, TEARDROP, Raindrop, and most recently, FLIPFLOP. These discoveries were made possible through collaborative efforts by several cybersecurity firms, including CrowdStrike, Microsoft, FireEye, Symantec, and KPMG. The persistent presence and cunning nature of Sunspot, along with its focus on the build process during a major supply chain attack, make it comparable only to the CozyDuke/DarkHalo/APT29/NOBELIUM SolarWinds compromise.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
SUNBURST
1
Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
Cozy Bear
1
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
APT29
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
StellarParticle
1
StellarParticle, a threat actor associated with the COZY BEAR adversary group, has been identified as a significant cybersecurity risk by CrowdStrike. StellarParticle is known for its extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and it has
The Dukes
1
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and several other aliases, is a highly active threat actor group widely believed to be associated with the Russian Foreign Intelligence Service (SVR). The group has been operational since at least 2008, targeting various governments, thin
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Microsoft
Solarwinds
Backdoor
Exploit
Windows
Malware
Source
exploitation
Crowdstrike
Encryption
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RaindropUnspecified
1
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Ra
TEARDROPUnspecified
1
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
SibotUnspecified
1
Sibot is a malware that operates as a dual-purpose VBScript, designed to achieve persistence on an infected machine and then download and execute payloads from a remote C2 server. It reaches out to a compromised website to download a DLL to a folder under System32. Malware is harmful software capabl
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SUNSPOT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securelist
3 months ago
Social engineering aspect of the XZ incident
MITRE
a year ago
StellarParticle Campaign: Novel Tactics and Techniques | CrowdStrike
MITRE
a year ago
SUNSPOT Malware: A Technical Analysis | CrowdStrike
MITRE
a year ago
Breaking down NOBELIUM’s latest early-stage toolset - Microsoft Security Blog
MITRE
a year ago
Security Advisory | SolarWinds