Sunspot malware scoured servers for SolarWinds builds to trojanize them

Sunspot malware scoured servers for SolarWinds builds to trojanize them

A malware program used in the SolarWinds supply-chain attack seeks out developers’ builds of the SolarWinds Orion IT management platform and then replace a source file with the Sunburst backdoor. (Stephen Foskett/CC BY-NC-SA 2.0)

Forensic investigators have discovered a novel malware program used in the SolarWinds supply-chain attack – one designed specifically to seek out developers’ builds of the SolarWinds Orion IT management platform and then replace a source file with the Sunburst backdoor.


Targeting build servers in such a manner is a devious strategy, because such machines prioritize efficiency of developer use over the kind of in-depth security that’s needed to reliably detect malicious activity. SolarWinds noted this week in a new blog post that its software development and build process “is common throughout the software industry” – a troublesome notion that raises the specter of other developer environments being targeted in a similar fashion following the resounding success of this attack.


For that reason, SolarWinds and other cybersecurity experts are stressing the importance of developer organizations understanding the true nature of the threat.


SolarWinds also revealed two potentially missed opportunities to detect the supply chain attack sooner, acknowledging a pair of customer support inquiries that, in hindsight, appear to have been related to the attack campaign.


Introducing Sunspot malware


Dubbed Sunspot, the newly discovered malware spies on compromised servers in order to seek out instances of MsBuild.exe, a process that corresponds to Microsoft Visual Studio, a program used to compile Orion software builds. If the malware determines that there is an Orion build in progress, it replaces the source file “InventoryManager.cs ..