• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor

Recommended Posts


As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform.

Called "Sunspot," the malignant tool adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop.

"This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams," SolarWinds' new CEO Sudhakar Ramakrishna explained.


While preliminary evidence found that operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, the latest findings reveal a new timeline that establishes the first breach of SolarWinds network on September 4, 2019 — all carried out with an intent to deploy Sunspot.


"Sunspot monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code," Crowdstrike researchers said in a Monday analysis.

Crowdstrike is tracking the intrusion under the moniker "StellarParticle."

Once installed, the malware ("taskhostsvc.exe") grants itself debugging privileges and sets about its task of hijacking the Orion build workflow by monitoring running software processes on the server, and subsequently replace a source code file in the build directory with a malicious variant to inject Sunburst while Orion is being built.

The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators' ability to insert code into our builds," Ramakrishna said, echoing previous reports from ReversingLabs.


The development comes as Kaspersky researchers found what appears to be a first potential connection between Sunburst and Kazuar, a malware family linked to Russia's Turla state-sponsored cyber-espionage outfit.

The cybersecurity firm, however, refrained from drawing too many inferences from the similarities, instead suggesting that the overlaps may have been intentionally added to mislead attribution.

While the similarities are far from a smoking gun tying the hack to Russia, U.S. government officials last week formally pinned the Solorigate operation on an adversary "likely Russian in origin."

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now