SUNSPOT Malware

The SUNSPOT Malware is a Trojan that injects corrupted code into other programs during the assembly process, typically due to a supply-chain-compromising attack. The threat actor currently uses it for distributing secondary Trojans with backdoor capabilities for supposed spying on compromised systems. Users should disable updates and software from companies with compromised servers and appropriately use anti-malware utilities for removing the SUNSPOT Malware and all related threats.

Notorious Names in Hacking Resurfacing for Espionage

Supply-chain breaches involve some of the most sophisticated and specialized threats, exploits, and phishing lures available to the Black Hat hackers. The confirmation of the SUNSPOT Malware, the third Trojan in a massive pseudo-hijacking of SolarWinds Inc's internal servers, is clear evidence that high-stakes hacking is alive in 2021. While the earliest test cases of the SUNSPOT Malware go back to 2019, its eventual verification as an independent threat to its other cohorts, Sunburst and Teardrop, better shows the attacker's operational strategy.

The SUNSPOT Malware is a specialized Trojan that monitors build servers for commands to assemble a target application – such as SolarWinds' Orion Platform, a modular network management tool. With each build, the SUNSPOT Malware replaces code with corrupted equivalents. Although this attack might deliver various consequences, for now, the threat actor turns official but compromised Orion software updates into dual-purpose installers for a second Trojan, Sunburst.

Sunburst also is 'only' a delivery mechanism that monitors infected systems to determine whether they're worth further attention from the still-unattributed threat actor. In a positive case, the attacker infects the system with another backdoor Trojan, Teardrop, for long-term surveillance. Also of note is that Sunburst shares some internal code resemblance with Kazuar, which raises the Turla APT's specter – although this identity lead is tentative.

Toning Down the Lights of Update-Riding Spies

Like those in the SUNSPOT Malware's campaign, a supply-chain attack is highly-suitable for breaching multinational corporate entities or government networks. Some institutions assert that the trio of threats is the responsibility of Russian intelligence operatives publicly. However, in the absence of more significant evidence, the security industry refers to the SUNSPOT Malware's threat actor by neutral aliases, such as StellarParticle and DarkHalo.

Home users are at little risk from the SUNSPOT Malware, but workers should monitor the normal infection vectors, any of which might be part of the SUNSPOT Malware's deployment mechanisms. E-mail phishing tactics with fake invoice documents, obfuscated weblinks over social messaging platforms, and brute-forcing weak passwords are some of the vulnerabilities malware experts warn against taking too lightly. Naturally, administrators also should disable software with compromised update servers until confirmation of the company's renewed security.

Standard security solutions should include database updates to identify and remove the SUNSPOT Malware, Sunburst, or Teardrop from victims' systems correctly. Recommendations for post-disinfection precautions include changing passwords and other credentials that the attackers may steal after gaining backdoor access to the device or PC.

Because of the resources that go into making them happen, supply-chain attacks are always news, even to otherwise-jaded security researchers. Malware experts recommend that users treat the SUNSPOT Malware as a valuable lesson on maintaining overall-strong network security and not taking the safety of even legitimate updates for granted.