What is SOTI?
SolarTime (SOTI) is an advanced bootloader persistence mechanism used by The Equation Group as part of their frameworks, including within the Dandersprtiz framework that was exposed by The Shadow Brokers in 2017. The framework containing SOTI can be used in conjunction with the Killsuit (KiSu) post-exploitation modular component, allowing an attacker to persist their PeddleCheap (PC) agent across reboots. SOTI is the only persistence mechanism for this framework that still works on a modern version of the Windows OS; however, it is mitigated if the unified extensible firmware interface (UEFI) is used place of the standard basic input/output system (BIOS).
Other persistence mechanisms that are ineffective beyond Windows XP include driver installation persistence and JustVisiting (JUVI), which is XP specific. Driver persistence does not work beyond XP as driver signing became mandatory in future versions of the OS, thereby making the persistence mechanism fail. SOTI, however, uses firmware-level manipulation in order to create an advanced bootloader to the attacker’s agent on the host that works at least up to Windows 7.