We are releasing a free tool called SunburstDomainDecoder today,
which is created in order to help CERT organizations identify victims of the trojanized SolarWinds software update, known as SUNBURST or Solorigate.
SunburstDomainDecoder can be fed with DNS queries to avsvmcloud.com in order to reveal the internal domain name of the infected company or organization.
SUNBURST DNS Traffic
SUNBURST victims, who have installed one of the trojanized SolarWinds Orion software updates, will query for domain names formatted like this:
The “SUBDOMAIN” string has different values for each victim and the second half of this string actually contains an encoded domain name (encrypted with a simple substitution cipher).
The RedDrip Team published a SUNBURST DGA decoding script yesterday,
which can be used to identify SUNBURST victim organizations like CISCO and Belkin by decoding the domain names encoded in the outgoing DNS queries for subdomains of avsvmcloud.com.
The beauty of this approach is that passive DNS data can be used in order to reliably identify the victims.
This is great news for national CERTs, because they typically have readily access to passive DNS data and can use
the decoded domain names in order to identify and reach out to victims in their country.
After using the python script provided by ReadDrip Team I noticed two things:
- The leaked domain names were internal domain names used on the victim organizations’ corporate networks.
Many of the domains were using the “.local” suffix.
- Most of the extracted domains were truncated to around 15 bytes,
which make it difficult to identify the victim organization.
Truncated Domains Fragmented Domains
I later learned that what seemed to be truncated domains were actually fragmented domains,
where long domain names would be split into multiple queries.
This revelation turns the output from RedDrip’s python tool into an interesting domain name puzzle.
At this point I decided to take a closer look at the malicious SolarWinds update I had downloaded
from SolarWind’s website a few days ago —
yes, that’s right the malicious software update
was actually available for download from SolarWinds’ website long after they had been notified about their software being backdoored!
As an example, lets’ take a closer look at this DNS query from John Bambenek’s passive DNS data:
This query can be broken down into three parts:
- r1qshoj05ji05ac6 : What is encoded here???
- eoip02jovt6i2v0c : Base32 encoded string “city.kingston.”
- .appsync-api.us-west-2.avsvmcloud.com : DNS trailer without encoded data
So, which “City of Kingston”, or “Kingston City”,
should we contact to let them know that they have installed a trojanized SolarWinds update?
City of Kingston NY USA,
City of Kingston Ontario Canada,
Kingston City Tennessee USA or
City of Kingston Australia?
After analyzing the “SolarWinds.Orion.Core.BusinessLayer.dll” file
from the “SolarWinds-Core-v2019.4.5220-Hotfix5.msp” I learned that the initial “r1qshoj05ji05ac6” string is representing a unique “GUID” value for the infected machine.
This GUID is generated by calculating an MD5 hash of the MAC address of the first active non-Loopback network interface,
the domain name and the “MachineGuid” registry key value in “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography”.
This MD5 hash is then squeezed into a tiny 8 byte array by XOR’ing overlapping bytes.
The “CreateSecureString” function in the trojanized SolarWinds update then “encrypts”
this hash using XOR with a random key, which is prepended to the data.
The XOR key and the XOR’ed data is then finally base32 encoded into what makes up the first part of the subdomain to query for.
Don’t let the SUNBURST source code below fool you, it is actually using base32 encoding with a custom alphabet even though the function is called “Base64Encode”;
Image: SUNBURST source code generates a random value between 1 and 127 as XOR key
Each DNS lookup from an infected machine will query for a unique subdomain because a new XOR key will be generated for each request.
Luckily for us, this XOR key is provided in each request, so we can use it in order to “decrypt” the subdomain and get the original 8 bytes derived from the MAC+domain+MachineGuid MD5 hash.
The output from my “SunburstDomainDecoder.exe” tool will print the “decrypted” 8 byte GUID in the first column,
and the decoded domain segment in the second column.
Each DNS query line read from standard input will generate a “GUID Hostname” line on standard output.
The tool then finishes off by printing out the fragmented domain segments grouped together by their GUID values:
With this help we now know that it was “city.kingston.on.ca”, (City of Kingston, Ontario, Canada) who had installed a trojanized SolarWinds update.
The C# source code and a compiled Windows binary for SunburstDomainDecoder is available here:
The source code and Windows binary is shared under a Creative Commons CC-BY license,
which means that you are free to:
- Share : copy and redistribute the material in any medium or format
- Adapt : remix, transform, and build upon the material for any purpose, even commercially.
Provided that you give appropriate credit, provide a link to the license, and indicate if changes were made.
Running SunburstDomainDecoder on Linux/MacOS
Would you like to verify my findings or learn more about .NET reverse engineering?
Cool, then I’d recommend that you download dnSpy in order to reverse engineer the SUNBURST .NET DLL (which can be extracted from the msp installer with 7zip).
Or you can have a look at the already extracted OrionImprovementBusinessLayer.cs on GitHub.
*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS