Last active
September 12, 2021 16:48
-
-
Save fr0gger/46b0998cd9c4d7a2ba7a81fbe4f9e2b3 to your computer and use it in GitHub Desktop.
Sunburst/Solorigate glossary to keep track of used terms
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name | Description | |
|---|---|---|
| Solarwinds | Compromised company used to spread the Sunburst malware through the Orion platform. | |
| Orion Platform | Compromised platform used to deliver the Sunburst malware in a supply chain attack. | |
| Sunspot | Malware name attributed by CrowdStrike and used to insert the Sunburst backdoor. | |
| Sunburst | Malware name attributed by FireEye and inserted in the Orion platform. AKA Solorigate. | |
| Solorigate | Malware name attributed by Microsoft and inserted in the Orion platform. AKA Sunburst. | |
| Teardrop | Additional payload delivered by the Sunburst backdoor used to deploy a custom Cobalt Strike Beacon. | |
| Raindrop | Loader which delivers a payload of Cobalt Strike. Similar to Teardrop. | |
| Beacon | Malware name used by FireEye to define custom Cobalt Strike payload. | |
| GoldMax | Written in Go GoldMax acts as command-and-control backdoor for the actor. AKA Sunshuttle. | |
| Sibot | A VBScript malware designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. | |
| GoldFinder | GoldFinder is most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. | |
| Kazuar | Previous backdoor that shares functionality with the Sunburst malware identified by Kaspersky. | |
| UNC2452 | Threat Actor name attributed by FireEye. | |
| Dark Halo | Threat Actor name attributed by Volexity. | |
| Stellar Particle | Threat Actor name attributed by Crowdstrike. | |
| Solarstorm | Threat Actor name attributed by Palo Alto. | |
| Nobelium | Threat Actor name attributed by Microsoft. | |
| Golden SAML | This attack has been identified as being used by attackers to compromise Solarwinds. | |
| Supernova | Web shell backdoor masquerading as a legitimate SolarWinds web service handler. Apparently not related to the Sunburst outbreak. | |
| Cosmicgale | Credential theft and reconnaissance PowerShell script. Apparently not related to the Sunburst outbreak. | |
| Solarflare | Red team tool used to dump credential from Orion. Publicly released after FireEye's initial report. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment