Skip to main content

SUNSHUTTLE Backdoor

First observed in August 2020, SUNSHUTTLE is UNC2452’s C2 implant. Written in Go, it appears to have been used in combination with a number of other UNC2452 tools as part of their SolarWinds Orion compromise.

Threat ID:
CC-3789
Category:
Backdoor
Threat Severity:
Medium
Threat Vector:
Vulnerability
Published:
16 March 2021 9:24 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in August 2020, SUNSHUTTLE is UNC2452’s C2 implant. Written in Go, it appears to have been used in combination with a number of other UNC2452 tools as part of their SolarWinds Orion compromise.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

SUNSHUTTLE, also known as GoldMax, is a sophisticated second-stage backdoor used by the UNC2452 advanced persistent threat group. This backdoor was used in conjunction with other UNC2452 tools such as GoldFinger and Sibot during the SolarWinds Orion supply chain compromise.

Delivery

At the time of publication, it is unclear how SUNSHUTTLE is delivered. However, based on UNC2452’s known activity, it is likely that SUNSHUTTLE is delivered to target systems via compromised Orion installations.

Activities

Once executed, SUNSHUTTLE enumerates the user’s MAC address and compares it to a hard-coded MAC address as an anti-analysis check. It then creates a configuration file containing encoded and encrypted data. The data contained within the configuration file determines whether SUNSHUTTLE disguises its network activity within legitimate traffic, as well as the domains it will use to do this. SUNSHUTTLE then attempts to connect to a command and control (C2) server in order to obtain an RSA-encrypted session key, believed to be used to encrypt its communications.

After successfully connecting to a C2 server, SUNSHUTTLE will begin beaconing for new commands. At the time of publication, SUNSHTTLE is able to upload or download files, execute commands, or update its configuration file.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 185[.]225[.]69[.]69

URLs

  • https://srfnetwork[.]org
  • https://reyweb[.]com
  • https://onetechcompany [.]com
Host indicators

SHA256 hashes

  • 70d93035b0693b0e4ef65eb7f8529e6385d698759cc5b8666a394b2136cc06eb
  • 0e1f9d4d0884c68ec25dec355140ea1bab434f5ea0f86f2aade34178ff3a7d91
  • 247a733048b6d5361162957f53910ad6653cdef128eb5c87c46f14e7e3e46983
  • f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c
  • 611458206837560511cb007ab5eeb57047025c2edc0643184561a6bf451e8c2c
  • b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8
  • bbd16685917b9b35c7480d5711193c1cd0e4e7ccb0f2bf1fd584c0aebca5ae4c

Last edited: 18 March 2021 3:44 pm