Trojan:MSIL/Solorigate.B!dha

Arrival

This threat is a modified DLL component of a legitimate software. Attackers inserted malicious code into the DLL, which has the file name SolarWinds.Orion.Core.BusinessLayer.dll, to allow these attackers to remotely perform commands or deliver additional payloads.

The DLL was signed with the same digital certificate that was used to sign the legitimate application, allowing the modified DLL to evade application control technologies. It is installed as a service.

Execution

When the related application runs, the modified is loaded in memory. The inserted malicious backdoor code runs before the legitimate code. Based on our analysis, the observed malicious from the attacker is activated only when running under SolarWinds.BusinessLayerHost.exe, but other applications like the following (not exhaustive) may also load it:

• ConfigurationWizard.exe
• NetflowDatabaseMaintenance.exe
• NetFlowService.exe
• SolarWinds.Administration.exe
• SolarWinds.BusinessLayerHost.exe
• SolarWinds.Collector.Service.exe
• SolarwindsDiagnostics.exe

We recommend monitoring the history and network and process activity related to these applications.

Impact

When loaded in memory, the malicious DLL connects to a command-and-control server at avsvmcloud[.]com. The DLL can then run commands from a remote attacker. Based on our analysis of the malware code, it has these backdoor capabilities:

• Gather system info (e.g., OS architecture and version, hostname, MAC address, IP address, etc.)
• Run filesystem commands (e.g., directory listing, write, delete, check for existence of file, etc.)
• Read or modify registry entries
• Create or stop processes, or get list of processes
• Restart the system
• Adjust the privilege of the process that loads it
• Track processes and services

These backdoor capabilities can enable remote attackers to download second-stage payloads, move laterally across the network, or exfiltrate data.