SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering

cybercdh
cybercdh
32,690
0
Published 2020-12-17
Here we take a look inside so of the most complex, elegant, well-crafted malware I've seen, known as SUNBURST and responsible for the global SolarWinds compromise. This code is a malicious DLL, loaded by the parent platform and blends in exceptionally well to the whole code-ecosystem.

We start by using DNSpy to decompile the .NET code, giving us access to the source code and I show you my methodologies for finding stuff of interest and how to go down the rabbit hole with your analysis.

We cover FNV-1 hashing (something I'd never heard of!) and also variances of the Base64 encoding routine which the bad guys are using the mask their malicious code.

This is one of the most fascinating backdoors I've had hands on, and there is much more to come with the analysis and I'd love to hear how you get on pulling a part this code too.

Special thanks to the folks at FireEye, their research on this malware is exceptional.

LINKS
=====
www.fireeye.com/blog/threat-research/2020/12/evasi…
github.com/fireeye/sunburst_countermeasures
www.volexity.com/blog/2020/12/14/dark-halo-leverag…
us-cert.cisa.gov/ncas/alerts/aa20-352a
cyber.dhs.gov/ed/21-01/
en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93…

TOOLS
======
dnSpy - github.com/dnSpy/dnSpy
PeStudio - www.winitor.com/
FNV-1 Hashing tool - github.com/cybercdh/hacks/tree/master/sunburst

SAMPLE
=======
app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796…

FOLLOW
======
You can join in the conversation by following me at twitter.com/cybercdh

THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!

Many thanks for watching, it means a lot. Peace out.
@cybercdh
All Comments (21)
  • @stephenemerson2229
    Working from home, lunch break, food ready - go on youtube and see a new vid from Colin; perfect. Was hoping you would do a video on this malware after seeing your Twitter updates on it :) Thanks.
  • @klaboem0
    Your videos are also getting more sophisticated! Really enjoyed the video, keep it up Colin
  • @philswaim392
    It was really fun to listen to this. I was able to just have this playing on audio and take a shower listening to this and could still follow along. You do such a good job of narratijg and speaking through everything.
  • @CodeXND
    Was eagerly waiting for this, thanks.
  • @TheLampedusa
    Colin, you have produced some amazing videos, that have really helped me develop as a malware analyst, but this one takes your work to a new level. Thank you!
  • @mirhassanriaz7713
    Amazing drill-down, appreciate your contribution. My team and I are doing research on this and u opened by the door for us to dig deeper. Keep contributing, respect from Pakistan!
  • @wise_one45
    Thank you Colin. As always as a new malware analyst i always enjoy your videos for new ideas and to dig at your thinking. Been following you for years!
  • @FMontanari709
    Loved the video, super interesting piece of malware! If you keep having issues with 1080p, would it be possible to bump up the font size a bit? That would help mobile user's eyesight a lot lol
  • @qe4wsy5
    Good stuff, quick and smooth
  • @CUBKITS
    I love how informative these videos are! If I could make one comment/request, though, it would be that you make the font a bit larger! It's hard to read a lot of the text on the screen!
  • @stewatts
    Amazing work as always Col and 100% agree about intelligence sharing!
  • @ParthGupta-my9ox
    Definitely need more content like this. Thanks for the insights man♥♥
  • @cmdsecure
    Very interesting - super research and well documented.
  • @anoopmj6749
    Very very good job. My best video on YouTube so far. 👏🏻👏🏻👏🏻👏🏻👏🏻
  • @JanivzZ
    thank you Colin ! ! as usual super interesting !!