The hash of each process name is calculated, and then checked against a blacklist of hardcoded hashes.
#Tcpview backdoors update#
The TrackProcesses() method (called both by Update and UpdateNotification) is responsible for querying the running processes on the victim’s machine to find process, service, and driver names of interest. This routine will get a list of running process objects, then pass it to three methods below for identifying blacklisted processes/services. These methods will return true if a blacklisted process/service is found, causing the malware to break out of the Update() loop. Interesting functionality resides within the UpdateNotification() and Update() methods more specifically, the true payload lies within an important while() loop. The following analysis demonstrates the above key findings. When SUNBURST sees the drivers, it exits before initiating any C2 communication or enabling additional payloads.
#Tcpview backdoors drivers#
List of drivers: The third list is shorter and includes a list of drivers among them is SentinelOne.SentinelOne is not on this list, and even if it was, SentinelOne’s anti-tamper capability protects from such attempts (without any special configuration needed). The backdoor may have bypassed these products, or at least tried to. SUNBURST goes to the registry and tries to disable them. List of services: includes security products that have weak anti-tamper measures.
If they are seen, SUNBURST exits and does not run. List of processes: includes mostly monitoring tools like Sysinternals and researchers tools.You can find each list at the end of this research. After the 12-day dormant period, SUNBURST’s malicious code looks for processes, services, and drivers.This common phenomenon is a prime example of why lengthy EDR data retention is critical. The malware deployed through the SolarWinds Orion platform waits 12 days before it executes.Without any updates, SentinelOne customers are protected from SUNBURST additionally, our customers have been supplied bespoke in-product hunting packs for real-time artifact observability.
0 kommentar(er)
