SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
32,690
Published 2020-12-17
We start by using DNSpy to decompile the .NET code, giving us access to the source code and I show you my methodologies for finding stuff of interest and how to go down the rabbit hole with your analysis.
We cover FNV-1 hashing (something I'd never heard of!) and also variances of the Base64 encoding routine which the bad guys are using the mask their malicious code.
This is one of the most fascinating backdoors I've had hands on, and there is much more to come with the analysis and I'd love to hear how you get on pulling a part this code too.
Special thanks to the folks at FireEye, their research on this malware is exceptional.
LINKS
=====
www.fireeye.com/blog/threat-research/2020/12/evasi…
github.com/fireeye/sunburst_countermeasures
www.volexity.com/blog/2020/12/14/dark-halo-leverag…
us-cert.cisa.gov/ncas/alerts/aa20-352a
cyber.dhs.gov/ed/21-01/
en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93…
TOOLS
======
dnSpy - github.com/dnSpy/dnSpy
PeStudio - www.winitor.com/
FNV-1 Hashing tool - github.com/cybercdh/hacks/tree/master/sunburst
SAMPLE
=======
app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796…
FOLLOW
======
You can join in the conversation by following me at twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
All Comments (21)
-
Working from home, lunch break, food ready - go on youtube and see a new vid from Colin; perfect. Was hoping you would do a video on this malware after seeing your Twitter updates on it :) Thanks.
-
Your videos are also getting more sophisticated! Really enjoyed the video, keep it up Colin
-
It was really fun to listen to this. I was able to just have this playing on audio and take a shower listening to this and could still follow along. You do such a good job of narratijg and speaking through everything.
-
Was eagerly waiting for this, thanks.
-
Glad you're back, really interesting as always!
-
Colin, you have produced some amazing videos, that have really helped me develop as a malware analyst, but this one takes your work to a new level. Thank you!
-
Amazing drill-down, appreciate your contribution. My team and I are doing research on this and u opened by the door for us to dig deeper. Keep contributing, respect from Pakistan!
-
Thank you Colin. As always as a new malware analyst i always enjoy your videos for new ideas and to dig at your thinking. Been following you for years!
-
Loved the video, super interesting piece of malware! If you keep having issues with 1080p, would it be possible to bump up the font size a bit? That would help mobile user's eyesight a lot lol
-
Good stuff, quick and smooth
-
Great video as always. Thank you
-
Great breakdown Colin thank you.
-
I love how informative these videos are! If I could make one comment/request, though, it would be that you make the font a bit larger! It's hard to read a lot of the text on the screen!
-
Amazing job Colin, Thank you!!
-
Amazing work as always Col and 100% agree about intelligence sharing!
-
Definitely need more content like this. Thanks for the insights man♥♥
-
Very interesting - super research and well documented.
-
Very very good job. My best video on YouTube so far. 👏🏻👏🏻👏🏻👏🏻👏🏻
-
thank you Colin ! ! as usual super interesting !!
-
You are the best, Colin.