NOBELIUM Group

Try in Splunk Security Cloud

Description

Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic, Web
• Last Updated: 2020-12-14
• Author: Patrick Bareiss, Michael Haag, Splunk
• ID: 758196b5-2e21-424f-a50c-6e421ce926c2

Narrative

This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) of the NOBELIUM Group. The threat actor behind sunburst compromised the SolarWinds.Orion.Core.BusinessLayer.dll, is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. The detections in this Analytic Story are focusing on the dll loading events, file create events and network events to detect This malware.

Detections

Name	Technique	Type
Anomalous usage of 7zip	Archive via Utility, Archive Collected Data	Anomaly
Anomalous usage of Archive Tools	Archive via Utility, Archive Collected Data	Anomaly
Detect Outbound SMB Traffic	File Transfer Protocols, Application Layer Protocol	TTP
Detect Prohibited Applications Spawning cmd exe	Command and Scripting Interpreter, Windows Command Shell	Hunting
Detect Rundll32 Inline HTA Execution	System Binary Proxy Execution, Mshta	TTP
First Time Seen Running Windows Service	System Services, Service Execution	Anomaly
Malicious PowerShell Process - Encoded Command	Obfuscated Files or Information	Hunting
Sc exe Manipulating Windows Services	Windows Service, Create or Modify System Process	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Schtasks scheduling job on remote system	Scheduled Task, Scheduled Task/Job	TTP
Sunburst Correlation DLL and Network Event	Exploitation for Client Execution	TTP
Supernova Webshell	Web Shell	TTP
TOR Traffic	Application Layer Protocol, Web Protocols	TTP
Windows AdFind Exe	Remote System Discovery	TTP
Windows Rundll32 Inline HTA Execution	System Binary Proxy Execution, Mshta	TTP

Reference

• https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
• https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

source | version: 2