Being in the news for about two months now, the Sunburst/Solorigate campaign has been analyzed in many different aspects and from many different perspectives.
The attack focuses on a trusted and widely used application, that is implemented for network monitoring. This application is usually allowed to access the Internet and also allowed to poll systems in the network, to test network ports and to inherit, for its role, several benign firewall and intrusion detection rules. It is usually allowed to communicate with a significant number of systems, even critical ones without raising any significant suspicions.
However, it seems not many contributions to the campaign approached the malware utilized from a systematic point of view. The vast majority of the contributions offered by the Security community covered encryption, communication modes, the complexity of the controls enforced, or the relative simplicity of the other components of the attack. None presented a complete and integrated review of the tools used by the attacker. For this reason, and to hopefully shed some light upon this malware, I wrote this report which covers the code, the IOCs and the links I found between Sunburst and other past APT campaigns
