On December 13, 2020, FireEye, Microsoft, and SolarWinds launched a large, sophisticated hacker attack on the supply chain that implemented the unknown malware Sunburst used against SolarWinds’ Orion IT customers.
Kaspersky’s experts have now found specific similarities in the code between Sunburst and known versions of Kazuar rear doors. This information can help uncover more knowledge about the attack.
Kaspersky’s experts have examined the Sunburst backdoor and discovered a number of features that overlap with previously identified Kazuar backdoors (the type of malware that provides remote access to the victim’s machine). The backdoors were coded using the .NET framework, which first became reported by Palo Alto in 2017 and which has since been used in cyber espionage attacks across the globe. Kaspersky has discovered a number of similarities in the code, suggesting a connection between Kazuar and Sunburst.
The overlapping features between Sunburst and Kazuar include: the victim’s UUID generation algorithm (a Universal Unique Identifier is a 128-bit number used to uniquely identify a specific device on the web. The algorithm auto-generates the number. Via a UUID you can address a specific device, so that it can be accessed and interacted with), the dormant algorithm and a comprehensive use of FNV-1a hash (Hash is a unique number generated from an algorithm. The number is most often used to control the content, where two files can have the same content, but have two different file names). According to Kaspersky, these code fragments are not 100 percent identical, but it seems that Kazuar and Sunburst may be related.
After the Sunburst malware was first implemented in February 2020, Kazuar continued to evolve, and later variants in 2020 have several similarities with Sunburst.
Kaspersky’s experts have been following Kazuar’s development over recent years, with the code for the back door evolving to make it more and more similar to Sunburst. The similarities between Kazuar and Sunburst are remarkable, and can mean several things; That Sunburst was developed by the same group as Kazuar, that Sunburst developers use Kazuar as inspiration for their own code, that a Kazuar developer has moved to the Sunburst team or that both the Sunburst and Kazuar teams have received their malware from the same source.
“The connection we have identified does not reveal who is behind the SolarWinds attack, but provides more insight into the malware so that IT security investigators can move forward with their investigation of the attack. We believe it is important that IT security investigators from the rest of the world also investigate Kazuar so that together we can trace the origins of Sunburst, the malware used in the SolarWinds attack. Judging from previous experiences, e.g. at the WannaCry attack, there was initially little that connected them to the Lazarus group. Over time, more and more evidence emerged that led us and other IT security investigators to conclude that there was a connection between the two. Further investigation is therefore crucial to whether we can find the group, ”says Costin Raiu, director of Kaspersky’s global analysis and investigation unit GReAT.
Please read more about the technical details of the similarity between Sunburst and Kazaur in Kaspersky’s report at Securelist. You can also read more about Kaspersky’s research on Sunburst her and see how Kaspersky protects their customers from the Sunburst back door her.
To avoid getting infected by malware such as Sunburst backdoors, Kaspersky recommends:
- Give your IT department access to the latest threat information (TI). Kaspersky Threat Intelligence Portal provides access to the company’s TI and provides data and insights on cyber attacks collected by Kaspersky over more than 20 years. Free access to features that allow users to check files, URLs and IP addresses are available her.
- Organizations that want to conduct their own research benefit Kaspersky Threat attribution Engine. It runs malicious code through malware databases and compares the code with already revealed APT campaigns.
*The article has been translated based on the content of IT-Kanalen by it-kanalen.dk. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!