Memory forensics demo: SolarWinds breach and Sunburst malware
The SolarWinds hack is one of the biggest cybersecurity incidents in recent years. By gaining access to SolarWinds’ network, attackers were able to access the company’s development environment and implant malicious code within updates to SolarWinds’ Orion network monitoring solution. With these malicious updates, the attackers inserted backdoors into the networks of thousands of SolarWinds’ customers, setting the stage for follow-on attacks.
The investigation of the SolarWinds hack was a case study in incident response and teamwork. FireEyes initially discovered and disclosed the incident, and multiple other companies built on their discovery, identifying additional malware variants and infection vectors used alongside the original malware. The reports published by these organizations have created a treasure trove of data for those organizations wishing to learn if they are affected by the hack, and, if so, the scope and impact of the compromise.
Malware detection through memory analysis
Infosec’s principal security researcher Keatron Evans provided a walkthrough on breach detection for companies potentially impacted by the SolarWinds breach on the Cyber Work podcast. He demonstrated a process for identifying indicators of compromise (IoCs) in the memory of a potentially compromised machine.
Step 1: Grab a memory dump
When performing a forensic investigation, it is always best to work from a copy of the memory from the target computer. When a machine is online, the state of its memory is constantly changing. This means that IoCs within the computer’s memory could be removed by the malware or naturally overwritten. A memory dump provides a static snapshot of the computer’s memory to analyze for suspicious artifacts.
In his demo, Keatron used RAM capture from magnet forensics to perform his memory dump. This grabs a copy of the volatile memory on the system and saves it to a file on disk for analysis.
Step 2: Extract readable strings
Malware and any executable is a mix of program code and data. In some cases, the data contained within these programs are human-readable strings. These strings can be unique to a particular malware variant, making them a useful and easy-to-find IoC.
Linux offers a built-in command called strings that extracts any printable strings from a file. Running this against the memory dump file from the previous step will likely produce a massive list of results because it looks for anything printable in the computer’s memory.
To make these results manageable, it’s possible to use grep to filter the list for certain strings. FireEye has published a list of Snort rules that can be used to detect the Sunburst malware used in the SolarWinds hack.
These rules can also be used to filter string results. For example, searching for the word deft using the command strings <memory_dump_filename> | grep deft will match results for the domain deftsecurity.com from FireEyes’ list. If there are any hits from the list of detection rules provided by FireEyes, then the system in question may have been infected by the Sunburst malware.
Step 3: Examine processes
Going deeper than looking at printable strings within the memory dump requires tools designed for forensic memory analysis. One of the best available tools for this is Volatility, which is an open-source tool.
With Volatility, it is possible to run several different terminal commands against a memory sample. A good starting place when looking for malware IoCs is to take a look at the processes running on the infected machine. This can be accomplished with the command volatility -f <memory_dump_file> –profile=<profile_type> pslist.
The result of this is identical to the result of running pslist on a live Windows machine. Looking at the list, it may be possible to identify anomalous processes that could point to a malware infection. For example, Keatron highlighted a couple of suspicious processes in his demo that could be linked to a Sunburst infection.
After identifying an anomalous process, it’s time to dig deeper. A couple of options for the next steps include:
- Looking for child processes: using the pstree command in Volatility, it is possible to see which processes are the parent and children of a particular process. This can help with identifying the infection vector and the effects of the infection.
- Dumping processes: using a process id (pid) from pslist or pstree, it is possible to dump a process from Volatility with the procdump command. This creates a fully functional binary that could be run in a sandbox or reverse engineered using a disassembler.
Step 4: Look at connection data
In addition to looking at processes, it can also be helpful to look at the connections that an infected computer has open. The current connection state of a system is also included in the snapshot of a memory dump.
The netscan command in Volatility produces a list of network connections similar to using netstat on a live system. Any suspicious connections can also lead to the identification of malware infections on the system. In the case of the SolarWinds hack, many victims were infected with multiple types of malware in a variety of different ways, so being thorough during a forensic investigation is important to ensure you’ve discovered the full scope of a potential infection.
Detecting SolarWinds infections with memory analysis
The Sunburst malware spread in the SolarWinds hack is a subtle and prolific malware sample. In a Cyber Work Podcast episode, Keatron shows how to identify Sunburst infections with memory analysis.
Memory forensics demo: SolarWinds breach and Sunburst malware, Infosec Cyber Work Podcast
Sunburst Countermeasures, FireEye
Release Downloads, Volatility Foundation