For more than a month after the cyberattack on the SolarWinds supply chain, new information has been regularly emerging regarding the methods of work of cybercriminals: recently, cybersecurity experts published a method for finding victims and targets of SUNBURST malware operators.
As a reminder, a cybercriminal group funded by the government of an unknown country hacked SolarWinds networks and injected SUNBURST (also known as Solorigate) malware in updates for the Orion platform (in versions 2019.4 to 2020.2.1, released in March-June 2020).Now there is information on how to decrypt SUNBURST domains.
“The malware steals several types of information about the infected system, encrypts this information as a combination of strings, adds them together, and sends the data back to the attackers using DNS queries for the avsvmcloud[.]com”, – writes user Medium VriesHD.
While there are four possible choices for the first subdomain (eu-west-1 / us-west-2 / us-east-1 / us-east-2), they don’t seem to be related to any specific geographic data. Their sole purpose is to mimic services like AmazonAWS in order to give the established connections some form of legitimacy.
Subdomains consist of an encoded GUID, a byte that functions as an XOR key for the GUID, and the hostname of the infected system’s local network or other additional information such as encoded timestamps or active antivirus products.
The SUNBURST backdoor transfers stolen data to the avsmcloud[.]com domain in the form of DNS queries for a specific subdomain. There are many ways to get Passive DNS at avsmcloud[.]com and several resources on Pastebin with Passive DNS lists.
Let me remind you that Malware spreads and downloads payloads from paste-sites.
The backdoor then exchanges data using special templates to filter out most of the noise. The GUID and XOR key are 16 characters long, and the backdoor is 32 characters long, so the third subdomain should be between 17 and 32 characters long.
Decoding of subdomains can be done using tools from companies such as RedDrip, FireEye or NETRESEC. The GUID is used to help connect the individual requests because that particular GUID remains unique to the infected system regardless of the XOR operation of the GUID.
“This way it is possible to match encoded timestamps with hostnames and vice versa. The XOR key is also an indicator for longer split domains, some of which are based on the decoded byte value in the range 0 to 35″, — says VriesHD.
The first part of the payload will have byte value 0. The last part of the payload will always have byte value 35. Infected systems with short domain names will have only one request with byte value 35.
For those looking for additional Passive DNS data, or simply wanting to check if they are may be a victim or target of cyberattacks, there is a table with 35,000 known public subdomains and the data they transmitted.
Let me remind you that I talked about Sunspot malware that was also used in the attack on SolarWinds.