SUNBURST

SUNBURST is a trojanized DLL designed to replace a source code file of the SolarWinds Orion software update framework at runtime. It was used by UNC2452 since at least February 2020.[1]

Techniques Used

Domain ID Name Use
Enterprise VT0027 .001 Encrypted Channel: Symmetric Cryptography

SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.[2]

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

SUNBURST was digitally signed by SolarWinds signing certificate between March - May 2020.[2]

References

Attachments

ID
VS0002
Type
MALWARE
Platforms
Windows
Version
1.0

Created: 24 February 2021

Last Modified: 03 March 2021