UNC2452 missing

[Argonyte]

This is in relation with Solar Winds Supply Chain Hack. UNC2452 is not stated in the list.

UNC2452 TTP
FireEye's Blog
Sophos Blog
Microsoft's Blog
Sunburst Domains
FireEye Stated Countermeasures
Sophos IoCs

[Argonyte]

CrowdStrike has released a blog on UNC2452 (StellarParticle). They explain about the new malware, named SUNSPOT, found on Build Servers of Solar Winds.

CrowdStrike's Blog

[adulau]

There is a set of tools to add. StellarParticle would need to be added a synonym.

[adulau]

Threat actor galaxy

    {
      "description": "Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used.  MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.",
      "meta": {
        "refs": [
          "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714",
          "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
          "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/",
          "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
          "https://pastebin.com/6EDgCKxd",
          "https://github.com/fireeye/sunburst_countermeasures"
        ],
        "synonyms": [
          "DarkHalo"
        ]
      },
      "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
      "value": "UNC2452"
    }

SUNSPOT added in 4692ced

[adulau]

Relationships to add

[r0ny123]

There is a set of tools to add. StellarParticle would need to be added a synonym.

added in #631.

[Argonyte]

Hi! Apologies for the delay on my end. I had finals so was a bit busy.

I had found reports that a malware strain named Sunspot had been active since 2019 on one of the Build servers of Solar Winds. Sunspot had only one purpose: To watch the build server for commands that built Orion. I had covered the entire hack in a report that I wished to forward.

Report

I would also add that Microsoft has renamed Solorigate to Nobelium (FireEye still uses UNC2452)

Also 3 more strains of malware have been detected by Microsoft, namely GoldMax (FireEye identifies it as Sunshuttle), GoldFinder, and Sibot. According to Microsoft's report:

• GoldMax or Sunshuttle is a second-stage backdoor. The GoldMax malware was discovered persisting on networks as a scheduled task impersonating systems management software.
• Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server.
• GoldFinder was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.

Microsoft's Blog

[adulau]

I think this is fixed in recent release of the Threat-Actor galaxy. Feel free to re-open if it's not the case.