Researchers Discover Fourth Malware Tied to Threat Actors Responsible for SolarWinds Attack
FireEye researchers have discovered a new malware, Sunshuttle, which they believe to be a “sophisticated second-stage backdoor” on the servers of an organization compromised by the threat actors behind the SolarWinds supply-chain attack. Researchers claim that the newly discovered malware was “uploaded by a U.S.-based entity to a public malware repository in August 2020.”
FireEye researchers Lindsay Smith, Jonathan Leathery, and Ben Read believe Sunshuttle is linked to the threat actor behind the SolarWinds supply-chain attack. Sunshuttle is GO-based malware featuring detection evasion capabilities. At the moment, the infection vector used to install the backdoors is not yet known, but it is “most likely” dropped as a second-stage backdoor.
“The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its “blend-in” traffic capabilities for C2 communications,” FireEye added. “SUNSHUTTLE would function as a second-stage backdoor in such a compromise for conducting network reconnaissance alongside other SUNBURST-related tools.”
If the connection alleged by FireEye is confirmed to be true, Sunshuttle would be the fourth malware found while investigating the supply-chain attack.
Further Reading: