SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
Here we take a look inside so of the most complex, elegant, well-crafted malware I've seen, known as SUNBURST and responsible for the global SolarWinds compromise. This code is a malicious DLL, loaded by the parent platform and blends in exceptionally well to the whole code-ecosystem.
We start by using DNSpy to decompile the .NET code, giving us access to the source code and I show you my methodologies for finding stuff of interest and how to go down the rabbit hole with your analysis.
We cover FNV-1 hashing (something I'd never heard of!) and also variances of the Base64 encoding routine which the bad guys are using the mask their malicious code.
This is one of the most fascinating backdoors I've had hands on, and there is much more to come with the analysis and I'd love to hear how you get on pulling a part this code too.
Special thanks to the folks at FireEye, their research on this malware is exceptional.
LINKS
=====
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://github.com/fireeye/sunburst_countermeasures
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://cyber.dhs.gov/ed/21-01/
https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function
TOOLS
======
dnSpy - https://github.com/dnSpy/dnSpy
PeStudio - https://www.winitor.com
FNV-1 Hashing tool - https://github.com/cybercdh/hacks/tree/master/sunburst
SAMPLE
=======
https://app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796eb88/
FOLLOW
======
You can join in the conversation by following me at https://twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
Видео SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering канала Colin Hardy
We start by using DNSpy to decompile the .NET code, giving us access to the source code and I show you my methodologies for finding stuff of interest and how to go down the rabbit hole with your analysis.
We cover FNV-1 hashing (something I'd never heard of!) and also variances of the Base64 encoding routine which the bad guys are using the mask their malicious code.
This is one of the most fascinating backdoors I've had hands on, and there is much more to come with the analysis and I'd love to hear how you get on pulling a part this code too.
Special thanks to the folks at FireEye, their research on this malware is exceptional.
LINKS
=====
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://github.com/fireeye/sunburst_countermeasures
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://cyber.dhs.gov/ed/21-01/
https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function
TOOLS
======
dnSpy - https://github.com/dnSpy/dnSpy
PeStudio - https://www.winitor.com
FNV-1 Hashing tool - https://github.com/cybercdh/hacks/tree/master/sunburst
SAMPLE
=======
https://app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796eb88/
FOLLOW
======
You can join in the conversation by following me at https://twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
Видео SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering канала Colin Hardy
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying VictimsHow the Best Hackers Learn Their CraftSolarWinds: What It Means & What’s NextSANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain AttackThe Decline of IBMSUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShellSolarwinds Orion Hack December 2020How the SolarWinds Hack Could Change Data Security ForeverFinding SolarWinds / SUNBURST backdoors with Zeek, Suricata, & CorelightUnderstanding the SolarWinds hackCoding Expectations for Malware & PentestingSUNBURST SolarWinds Malware Analysis - Tools, Tactics and Malware Reverse EngineeringThe Massive SolarWinds Hack Explained in ContextThe SolarWinds Hack And The Future Of Cyber EspionageThe SolarWinds Hack Explained | Cybersecurity AdviceAnimated SolarWinds Breach Attack Flow - EP1A former NSA hacker breaks down the FireEye hackSolarWinds, The Biggest Case of Cyber-Espionage YetThreat Hunt Deep Dives Ep. 3 - SolarWinds' Supply-Chain Compromise (Solorigate / SUNBURST Backdoor)