Sunshuttle, the fourth malware allegedly linked to SolarWinds hack

March 4, 2021  By Pierluigi Paganini


FireEye researchers spotted a new sophisticated second-stage backdoor that was likely linked to threat actors behind the SolarWinds hack.

Malware researchers at FireEye discovered a new sophisticated second-stage backdoor, dubbed Sunshuttle, while analyzing the servers of an organization that was compromised as a result of the SolarWinds supply-chain attack.

The new malware is dubbed Sunshuttle, and it was “uploaded by a U.S.-based entity to a public malware repository in August 2020.”

“Mandiant Threat Intelligence discovered a sample of the SUNSHUTTLE backdoor uploaded to an online multi-Antivirus scan service.” reads the analysis published by Fireeye. “SUNSHUTTLE is a backdoor, written in GO, that reads an embedded or local configuration file, communicates with its C2 server over HTTPS and supports commands including remotely updating its configuration, file upload and download, and arbitrary command execution.”

The SUNSHUTTLE backdoor was likely developed to conduct network reconnaissance alongside other SUNBURST-related tools.

Mandiant researchers discovered the SUNSHUTTLE backdoor on a system of a victim compromised by UNC2452, and believe that it is linked to this threat actor.

Experts pointed out that the SUNSHUTTLE malware was not observed using any trick to gain persistence, this means that the persistence is likely set outside of the execution of this backdoor.

The SUNSHUTTLE backdoor communicates with C2 servers passing it the values in the cookie header.

“SUNSHUTTLE uses the cookie header to pass values to the C2.” continues FireEye. “Additionally, a referrer is selected from the following list, presumably to make the traffic blend in if traffic is being decrypted for inspection:

  • www.bing.com
  • www.yahoo.com
  • www.google.com
  • www.facebook.com

The cookie headers vary slightly depending on the operation being performed.”

Technical details and Indicators of compromise(IoCs) for this backdoor are included in the report published by FireEye.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

VMware addresses Remote Code Execution issue in View Planner

 VMware released a security patch for a remote code execution vulnerability that affects the VMware View Planner product. VMware...