Interesting article about continued SolarWinds research

https://community.riskiq.com/article/9a515637

 
Key points:
 
  • Of the SUNBURST features that were operationalized, the most telling was that which identified Antivirus (AV) and Endpoint Detection & Response (EDR) products on the target, products sold by five companies: FireEye, Crowdstrike, Microsoft, ESET, and F-Secure (Kaspersky was identified, but malware did not modify its behavior if identified)
  •  Key tactical countermeasure that significantly impeded analysis: the threat actor’s strict adherence to pattern avoidance, including registering domains at different times over different years, “aging” domains, keeping the first-stage infrastructure registered in the US to avoid prying by NSA, and second-stage and third-stage in foreign countries.
  • The first-stage implant was designed to beacon to its command-and-control servers with random jitter after a two-week period, an effort RiskIQ’s Team Atlas assessed was meant to outlive the typical lifespan of event logging on most host-based EDR products. 
  • The third-stage malware was designed to look completely different from the second-stage malware, which, in turn, was designed to look nothing like the first-stage malware. 
Mark Kerzner
Written by:

Mark Kerzner

Mark Kerzner is the co-founder of Elephantscale. He is a Trainer, Author(AI, Machine Learning, Spark, Hadoop, NoSQL, Blockchain)

Leave a Reply

Your email address will not be published. Required fields are marked *