SOMBRAT Backdoor
SOMBRAT is a modular backdoor in which the primary plugins interoperate to communicate with a command and control server to download additional payloads.
Summary
SOMBRAT is a modular backdoor in which the primary plugins interoperate to communicate with a command and control server to download additional payloads.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
SOMBRAT (also stylised as SombRAT) is a modular C++ backdoor that uses several plugins to provide additional capability to attackers. Believed to have been used first in October 2019 in the CostaRicto campaigns, it has been used by the UNC2447 advanced persistent threat group since April 2021 to deliver the FIVEHANDS ransomware.
Delivery
In the CostaRicto campaigns, there were unconfirmed reports suggesting SOMBRAT was delivered after access was gained using stolen credentials. During the FIVEHANDS campaigns, UNC2447 has exploited a known vulnerability in SonicWall SMA 100 appliances to distribute the backdoor.
Activities
SOMBRAT consists of five primary modules: core, network, storage, taskman, and debug.
- core – coordinates state information about the system and the loading and unloading of the dynamic plugins
- network – facilitates communication to the command and control server (C2) using DNS and TCP protocols
- storage – helps to read and write information used by the plugins in an encrypted file
- taskman – aids the operator to list and stop processes
- debug – records debug messages
SOMBRAT uses these modules to download additional shellcode and DLL plugins sent from the C2 server. These payloads can then be installed directly into memory to provide further functionality to attackers, including arbitrary code execution. SOMBRAT will avoid detection by fixing process lists to simply show “powershell.exe” instead of any command line arguments and references to uncommon filenames.
Remediation advice
As SOMBRAT distribution relies on exploitation of CVE-2021-20016, patching this vulnerability will prevent infection. Affected organisations are encouraged to review the SonicWall SMA 100 Series Firmware Update cyber alert and apply the necessary update.
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
CVE Vulnerabilities
Last edited: 6 May 2021 12:01 pm