SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
Here we take a look inside so of the most complex, elegant, well-crafted malware I've seen, known as SUNBURST and responsible for the global SolarWinds compromise. This code is a malicious DLL, loaded by the parent platform and blends in exceptionally well to the whole code-ecosystem.
We start by using DNSpy to decompile the .NET code, giving us access to the source code and I show you my methodologies for finding stuff of interest and how to go down the rabbit hole with your analysis.
We cover FNV-1 hashing (something I'd never heard of!) and also variances of the Base64 encoding routine which the bad guys are using the mask their malicious code.
This is one of the most fascinating backdoors I've had hands on, and there is much more to come with the analysis and I'd love to hear how you get on pulling a part this code too.
Special thanks to the folks at FireEye, their research on this malware is exceptional.
LINKS
=====
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://github.com/fireeye/sunburst_countermeasures
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://cyber.dhs.gov/ed/21-01/
https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function
TOOLS
======
dnSpy - https://github.com/dnSpy/dnSpy
PeStudio - https://www.winitor.com
FNV-1 Hashing tool - https://github.com/cybercdh/hacks/tree/master/sunburst
SAMPLE
=======
https://app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796eb88/
FOLLOW
======
You can join in the conversation by following me at https://twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
Видео SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering канала Colin Hardy
We start by using DNSpy to decompile the .NET code, giving us access to the source code and I show you my methodologies for finding stuff of interest and how to go down the rabbit hole with your analysis.
We cover FNV-1 hashing (something I'd never heard of!) and also variances of the Base64 encoding routine which the bad guys are using the mask their malicious code.
This is one of the most fascinating backdoors I've had hands on, and there is much more to come with the analysis and I'd love to hear how you get on pulling a part this code too.
Special thanks to the folks at FireEye, their research on this malware is exceptional.
LINKS
=====
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://github.com/fireeye/sunburst_countermeasures
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://cyber.dhs.gov/ed/21-01/
https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function
TOOLS
======
dnSpy - https://github.com/dnSpy/dnSpy
PeStudio - https://www.winitor.com
FNV-1 Hashing tool - https://github.com/cybercdh/hacks/tree/master/sunburst
SAMPLE
=======
https://app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796eb88/
FOLLOW
======
You can join in the conversation by following me at https://twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
Видео SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering канала Colin Hardy
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims
How the Best Hackers Learn Their Craft
SolarWinds: What It Means & What’s Next
SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack
The Decline of IBM
SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShell
Solarwinds Orion Hack December 2020
How the SolarWinds Hack Could Change Data Security Forever
Finding SolarWinds / SUNBURST backdoors with Zeek, Suricata, & Corelight
Understanding the SolarWinds hack
Coding Expectations for Malware & Pentesting
SUNBURST SolarWinds Malware Analysis - Tools, Tactics and Malware Reverse Engineering
The Massive SolarWinds Hack Explained in Context
The SolarWinds Hack And The Future Of Cyber Espionage
The SolarWinds Hack Explained | Cybersecurity Advice
Animated SolarWinds Breach Attack Flow - EP1
A former NSA hacker breaks down the FireEye hack
SolarWinds, The Biggest Case of Cyber-Espionage Yet
Threat Hunt Deep Dives Ep. 3 - SolarWinds' Supply-Chain Compromise (Solorigate / SUNBURST Backdoor)