Sansec cybersecurity experts: The new parasitic malware, spread by CronRAT, hijacks a host Nginx application to masquerade its presence.
FireEye: SolarWinds attackers deploy Sunshuttle as a second stage payload. The malware is a GO backdoor, that uses cookie headers to pass values to the C2 and can select referrers from a list of popular websites to help such network traffic “blend in”
Sunshuttle is a new malware. Just discovered by FireEye cybersecurity experts, it has been used by SolarWinds hackers as a second stage payload. It’s a backdoor written in GO, that reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution. Notably, it uses cookie headers to pass values to the C2, and if configured, can select referrers from a list of popular website URLs to help such network traffic “blend in.”