Recently, Microsoft have investigated on the capabilities within the Solorigate attack. Microsoft have come out with an analysis report that include the following
- Scope
- Impact
- Remediation Guidance
- Product detections and protections.
Single DLL file have proposed a serious threat to any organization that been using the affected product which addition of a few benign-looking line of code that included within the file.
Source: Microsoft – Solorigate malware infection chain
Reconnaissance
This activity is a way to main purpose where the attacker will upload the execution entry point of the backdoor which it might be carrying a code that information gathering on the victim’s environment.
Below are the checks that will be execute by the DLL file:
- The DLL files will verify the process that will be hosting the malicious file that will be named as solarwinds.busineslayerhost.exe
- The DLL will also delay the execution process which will take random amounts of time.
- The files will check whether the victim’s environment have run a security-related software such as Windby, Autoruns and Wireshark
Source: Microsoft – Microsoft Defender for Endpoint detections across the Solorigate attack chain
