Stellar Performances: How CrowdStrike Machine Learning Handles the SUNSPOT Malware

Blog 1060x698 (33)

The CrowdStrike® Intelligence team recently published its findings on a sophisticated supply chain attack. In a nutshell, the adversary planted a malicious file, dubbed SUNSPOT, on the victim’s build system. SUNSPOT then monitors when new software is compiled and inserts a malicious payload clandestinely during the build process.

Such targeted attacks are normally the domain of indicators of attack (IOAs), which detect illicit behavior by observing the actions and the intent of processes on endpoints. But besides IOAs, CrowdStrike Falcon PreventTM leverages other techniques for threat detection, including file-based machine learning (ML).

The main component of SUNSPOT is a file taskhostsvc.exe with SHA256 hash c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168. The file’s compile timestamp indicates that the file was compiled on February 20, 2020. While this data field can be easily manipulated, we speculate that the adversary did not go through this effort as it aligns with the timeline for the rest of the attack.

To check how well our file-based models pick up on this thread, we ran the file against the on-sensor ML model that we shipped in September 2019, about five months before the file was presumably created. It was detected at high confidence.

While one should not rely solely on static analysis-based techniques, especially for sophisticated attacks such as this one, it validates the power of signature-less ML models that can detect threats based on generic properties as opposed to the reliance of a human analyst creating a suitable signature.

Additional Resources

CrowdStrike Falcon Free Trial

Sven Krasser

Dr. Sven Krasser is a recognized authority on network and host security. He currently serves as Chief Scientist for CrowdStrike, where he oversees the development of endhost and cloud-based Big Data technologies. Previously, Dr. Krasser was at McAfee where he led the data analysis and classification efforts for TrustedSource. He is the lead inventor of numerous key patented and patent-pending network and host security technologies and is the author of numerous publications on networking and security technologies.

Bibliography: http://www.skrasser.com/publications/

 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial