SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims
In this video we talk about three aspects of RECON with respect to SUNBURST #malware.
1. We look in more detail at the recon the malware does on the underlying victim host.
2. We look at the OSINT recon we can do on the C2 domain to gather PassiveDNS data
3. We examine how the structure of those DNS requests and how they can be reverse-engineered to identify potential victims.
There are some super-smart people analysing this malware and I'm grateful for their contributions to the wider community, so please check out the following links, write-ups and tools:
LINKS
=====
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/edit#gid=0
DGA Write-Ups
=============
https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug
https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/
https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS
https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/
PDNS Data
=========
https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt
https://github.com/bambenek/research/blob/main/sunburst/Important-Notes.md
TOOLS
=====
https://github.com/dnSpy/dnSpy
https://github.com/de4dot/de4dot
https://github.com/Robert-McGinley/de4dot-Installer
https://docs.umbrella.com/investigate-api/docs
https://community.riskiq.com/search/20.140.0.1
https://github.com/2igosha/sunburst_dga
https://github.com/RedDrip7/SunBurst_DGA_Decode
SAMPLE
=======
https://app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796eb88/
FOLLOW
======
You can join in the conversation by following me at https://twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
#sunburst #solarwinds
Видео SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims канала Colin Hardy
1. We look in more detail at the recon the malware does on the underlying victim host.
2. We look at the OSINT recon we can do on the C2 domain to gather PassiveDNS data
3. We examine how the structure of those DNS requests and how they can be reverse-engineered to identify potential victims.
There are some super-smart people analysing this malware and I'm grateful for their contributions to the wider community, so please check out the following links, write-ups and tools:
LINKS
=====
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/edit#gid=0
DGA Write-Ups
=============
https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug
https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/
https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS
https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/
PDNS Data
=========
https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt
https://github.com/bambenek/research/blob/main/sunburst/Important-Notes.md
TOOLS
=====
https://github.com/dnSpy/dnSpy
https://github.com/de4dot/de4dot
https://github.com/Robert-McGinley/de4dot-Installer
https://docs.umbrella.com/investigate-api/docs
https://community.riskiq.com/search/20.140.0.1
https://github.com/2igosha/sunburst_dga
https://github.com/RedDrip7/SunBurst_DGA_Decode
SAMPLE
=======
https://app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796eb88/
FOLLOW
======
You can join in the conversation by following me at https://twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
#sunburst #solarwinds
Видео SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims канала Colin Hardy
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse EngineeringSolarWinds breach: Insights from the trenches | Live incident response demo | Cyber Work PodcastSolarWinds: What It Means & What’s NextCoding Expectations for Malware & PentestingHow the SolarWinds Hack Could Change Data Security ForeverThe threats arising from the massive SolarWinds hackGhidra - Journey from Classified NSA Tool to Open SourceSolarWinds, The Biggest Case of Cyber-Espionage YetFinding SolarWinds / SUNBURST backdoors with Zeek, Suricata, & CorelightThreat Hunting with Inquest LabsSANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack27c3: Reverse Engineering the MOS 6502 CPU (en)Threat Hunt Deep Dives Ep. 3 - SolarWinds' Supply-Chain Compromise (Solorigate / SUNBURST Backdoor)SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShellThe SolarWinds Hack Explained | Cybersecurity AdviceOlympic Destroyer - Quick behavioural Analysis of this Wiper MalwareReversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #GhidraUpdates on the SolarWinds Sunburst Supply Chain Attack | FireEye HackSolarWinds Sunburst Hack: What you need to know