Microsoft, FireEye, and GoDaddy have joined hands to come up with a kill switch for the SolarWinds Sunburst backdoor that compels the malware to axe itself.

It was divulged during the last weekend that Russian state-sponsored cybercriminals breached SolarWinds and added malicious code to a Windows DLL file used by their Orion IT monitoring platform.

As part of a synchronized revelation with Microsoft and SolarWinds, FireEye issued a report on Sunday with an examination of the supply chain attack and how the Sunburst backdoor runs.

The research exposed that the Sunburst backdoor would connect to a command and control (C2) server at a subdomain of avsvmcloud[.]com to receive ‘jobs’, or commands to execute.

In a statement, FireEye elaborates that they used the avsvmcloud[.]com takeover to create a kill switch that unloads the Sunburst malware on infected machines.

“SUNBURST is the malware that was distributed through SolarWinds software. As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate.”

“Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.”

“This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com,” FireEye said.

“However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST,” FireEye continued.

Leave a Reply

Your email address will not be published. Required fields are marked *