Read on Twitter
Sunspot malware used to inject #Solarwinds backdoor has the marks of a consummate software engineer's attention to detail
Source-level backdoor, injected at build time, into rarely changing file
https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
Source-level backdoor, injected at build time, into rarely changing file
https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
Operating at source-level allows same backdoor to work even as the Solarwinds Orion code is modified around it— attacker does not have to watch for every commit and race to update their backdoor for compatibility
2/N
2/N
Injecting it at build time keeps any trace out of source repositories (such as git) where its presence could be discovered in logs or manual review
3/N
3/N
And for good measure the malware verified that the target file used by the backdoor has not changed in the original code-base
(Otherwise it may result in compiler errors that alerted defenders eg if another file refers to a new function missing from back-doored version)
4/N
(Otherwise it may result in compiler errors that alerted defenders eg if another file refers to a new function missing from back-doored version)
4/N
One edge-case that could have blown the cover: if Solarwinds changed compiler version/settings.
Backdoor could introduce spurious build errors not present in original (eg use of deprecated API, more aggressive warnings…)
Remarkable craftsmanship overall
5/5
Backdoor could introduce spurious build errors not present in original (eg use of deprecated API, more aggressive warnings…)
Remarkable craftsmanship overall
5/5
