来源:

https://us-cert.cisa.gov/ncas/alerts/aa20-352a

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

摘要:

攻击者在入侵SolarWind后,将官方安装包植入后门,从而实现供应链攻击。

后门组件: SolarWinds.Orion.Core.BusinessLayer.dll

文件基本信息:

md5:B91CE2FA41029F6955BFF20079468448

sha1:76640508B1E7759E548771A5359EAED353BF1EEC

sha256:32519B85C0B422E4656DE6E6C41878E95FD95026267DAAB4215EE59C107D6C77

imphash:D0823F24EA6E7922288E5C17847E38F8

file-version:2019.4.5200.9083

description:SolarWinds.Orion.Core.BusinessLayer

file-type:dynamic-link-library

cpu:32-bit

后门位置:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/954eff38-a477-4f66-8052-3cf2617606c7/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/c709cca5-958d-4a76-a5f2-d72bac796c79/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/91822df9-44d4-4069-a1e5-e13d01881c99/Untitled.png

判断进程哈希是否为17291806236368054941