Microsoft SolarWinds analysis: Attackers hid inside Windows systems by wearing the skins of legit processes

Thorough counter-detection methods laid bare by Redmond


The SolarWinds hackers triggered one of their Cobalt Strike implants in the firm's network through a cunning VBScript that was activated by a routine system process, Microsoft has said.

Microsoft's deep dive, published yesterday following SolarWinds' own take on the malware, repeated earlier findings that the hackers went to unusual lengths to disguise their intrusion and avoid detection.

Specifically, the compromised DLL file was quietly deployed onto targeted systems by mimicking legitimate file names – and the attackers worked between 8am and 5pm to increase the odds of not being spotted.

Micros~1 summarised its findings in a blog post by saying:

Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files.

It continued: "Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims."

Much of the infosec commentary around the SolarWinds supply chain attack has reused the tired old clichés of stating the attackers were sophisticated, advanced, cunning, soft, strong, thoroughly absorbent, and so on. In this case the clichés appear to be true because the attackers "first enumerated remote processes and services running on the target host" and only moved through the target network "after disabling certain security services."

Those techniques included editing the Windows registries of target machines to disable autostarting of security processes – and then waiting until the target machine was rebooted before moving in for the kill.

"The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary," Microsoft sighed.

The analysis includes indicators of compromise and techniques used by the attackers to skate around SolarWinds's networks but, unusually for infosec research, expresses them in plain English that any averagely skilled IT pro can follow. It's well worth a read.

The attackers also used the mildly unusual reflective DLL loading attack technique. A full explanation can be read here, also from Microsoft. Briefly, the technique allows malicious DLL files to be loaded into a process without first having been registered with it – and does so from memory, via a custom loader deployed by the attacker, rather than pulling it from a potentially detectable disk location.

Relatedly, custom Cobalt Strike loaders developed by the hackers strongly resembled "legitimate Windows file and directory names, once again demonstrating how the attackers attempted to blend in the environment and hide in plain sight," said MS.

The autopsies of the biggest supply chain attack for years will doubtless continue, but one thing's for sure: whichever nation state was behind it, they really knew what they were doing and really didn't want to be caught in the act. ®


Biting the hand that feeds IT © 1998–2021