Sunspot – The third malware involved in the SOLARWINDS attack

Cybersecurity company CrowdStrike announced the discovery of a third strain, called Sunspot , directly related to SolarWinds attacks.

According to a new report released by the cybersecurity company Crowdstrike, a third type of malware called SUNSPOT is related to the recently disclosed SolarWinds  attack.

SUNSPOT was discovered after the Sunburst  /   backdoor and Teardrop malware, but in chronological order, it may be the first code involved in the attack.

At the time of writing the report, CrowdStrike did not attribute any of the three implants to any known threat actors.

CrowdStrike tracks the threat factor behind the SolarWinds attack as StellarParticle, while FireEye and Microsoft identify it as UNC2452 and Volexity as DarkHalo .

The used SUNSPOT to insert the SUNBURST backdoor into the software version of the SolarWinds Orion IT management product.

“SunSPOT monitors the running processes during the compilation of Orion products and replaces one of the source files to include the SUNBURST backdoor code.” State the report issued by the security company .

“Some protection measures have been added to SUNSPOT to avoid the failure of the Orion version and may alert developers to the existence of opponents.” 

After SUNSPOT detects the build command, it inserts malicious code into the Orion application to build a tainted version of the legitimate software.

Threat participants spent a lot of energy to develop SUNSPOT code to ensure that malicious code is implicitly injected.

“When SUNSPOT finds the path of the Orion solution file in the running MsBuild.exe process, it will replace the source code file in the solution directory with a malicious variant to inject SUNBURST when building Orion. Although SUNSPOT supports substitution Multiple files, but the identified copy only replaces InventoryManager.cs.” Continue report.

The report released by CrowdStrike includes new indicators for detecting threats (IoC) and Yara rules.

SolarWinds also released an update about the attack, which shows that the malware has been deployed to customers between March 2020 and June 2020, but the threat actors performed it between September 2019 and November 2019 Tested.


“Our current timetable for the incident starts in September 2019. This is the earliest suspicious activity on our internal system discovered by our forensic team during the current investigation.” Read the update provided by SolarWinds . “The subsequent October 2019 edition of the Orion Platform appears to contain modifications designed to test the perpetrator’s ability to insert code into our build”