Ib-Expert Has Published Information on How to Decrypt SUNBURST Domains

More than a month after the cyberattack on SolarWinds' supply chain, new information has regularly emerged regarding the way attackers work and the impact of hacking on companies and governments. As a reminder, a cybercriminal group funded by the government of an unknown country hacked SolarWinds networks and injected SUNBURST (also known as Solorigate) malware in updates for the Orion platform (in versions 2019.4 to 2020.2.1, released in March-June 2020).

Now there are information on how to decrypt SUNBURST domains. The malware steals several types of information about the infected system, encrypts this information as a combination of strings, adds them together and sends the data back to the attackers using DNS queries for the avsvmcloud [. ] com. While there are four possible choices for the first subdomain (eu-west-1 / us-west-2 / us-east-1 / us-east-2), they don't seem to be related to any specific geographic data. Their sole purpose is to mimic services like AmazonAWS in order to give the established connections some form of legitimacy.

Subdomains consist of an encoded GUID, a byte that functions as an XOR key for the GUID, and the hostname of the infected system's local network or other additional information such as encoded timestamps or active antivirus products.

The SUNBURST backdoor transfers stolen data to the avsmcloud [.] Com domain in the form of DNS queries for a specific subdomain. There are many ways to get Passive DNS at avsmcloud [.] Com and several resources on Pastebin with Passive DNS lists. The backdoor communicates using special templates to filter out most of the noise. The GUID and XOR key are 16 characters long, and the backdoor is 32 characters long, so the third subdomain should be between 17 and 32 characters long.

Decoding of subdomains can be done using tools from companies such as RedDrip, FireEye or NETRESEC. The GUID is used to help connect individual requests because this particular GUID remains unique to the infected system regardless of the XOR operation of the GUID. In this way, it is possible to map encoded timestamps to hostnames and vice versa. The XOR key is also an indicator for longer split domains, some of which are based on a decoded byte value in the range 0 to 35. The first part of the payload will have a byte value of 0. The last part of the payload will always have a byte value of 35. Infected systems with short domain names will only have one request with byte value 35.

For those looking for additional Passive DNS data, or simply wanting to check if they are a victim or target of cyber attacks, there is a table with 35,000 known public subdomains and the data they transmitted.

Previous Post Next Post