The compromised DLL file “Solorigate” has been analyzed

Recently, Microsoft have investigated on the capabilities within the Solorigate attack. Microsoft have come out with an analysis report that include the following

  1. Scope
  2. Impact
  3. Remediation Guidance
  4. Product detections and protections.

Single DLL file have proposed a serious threat to any organization that been using the affected product which addition of a few benign-looking line of code that included within the file.

Source: Microsoft – Solorigate malware infection chain

Reconnaissance

This activity is a way to main purpose where the attacker will upload the execution entry point of the backdoor which it might be carrying a code that information gathering on the victim’s environment.

Below are the checks that will be execute by the DLL file:

  1. The DLL files will verify the process that will be hosting the malicious file that will be named as solarwinds.busineslayerhost.exe
  2. The DLL will also delay the execution process which will take random amounts of time.
  3. The files will check whether the victim’s environment have run a security-related software such as Windby, Autoruns and Wireshark

Source: Microsoft – Microsoft Defender for Endpoint detections across the Solorigate attack chain

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *