SBN

Reassembling Victim Domain Fragments from SUNBURST DNS

We are releasing a free tool called SunburstDomainDecoder today,
which is created in order to help CERT organizations identify victims of the trojanized SolarWinds software update, known as SUNBURST or Solorigate.

SunburstDomainDecoder.exe output showing int.lukoil-international.uz tr.technion.ac.il rst.atlantis-pak.ru ci.dublin.ca.us and mutualofomahabank.com

DevOps Connect:DevSecOps @ RSAC 2022

SunburstDomainDecoder can be fed with DNS queries to avsvmcloud.com in order to reveal the internal domain name of the infected company or organization.

Download SunburstDomainDecoder.zip

 

SUNBURST DNS Traffic

SUNBURST victims, who have installed one of the trojanized SolarWinds Orion software updates, will query for domain names formatted like this:

<SUBDOMAIN>.appsync-api.eu-west-1.avsvmcloud.com<SUBDOMAIN>.appsync-api.us-west-2.avsvmcloud.com<SUBDOMAIN>.appsync-api.us-east-1.avsvmcloud.com<SUBDOMAIN>.appsync-api.us-east-2.avsvmcloud.com

The “SUBDOMAIN” string has different values for each victim and the second half of this string actually contains an encoded domain name (encrypted with a simple substitution cipher).

RedDrip’s decode.py

The RedDrip Team published a SUNBURST DGA decoding script yesterday,
which can be used to identify SUNBURST victim organizations like CISCO and Belkin by decoding the domain names encoded in the outgoing DNS queries for subdomains of avsvmcloud.com.

This is what it looks like when RedDrip’s decode.py script is fed with domain names from John Bambenek’s uniq-hostnames.txt file.


cat uniq-hostnames.txt | python decode.py

02m6hcopd17p6h450gt3.appsync-api.us-west-2.avsvmcloud.com .gh
039n5tnndkhrfn5cun0y0sz02hij0b12.appsync-api.us-west-2.avsvmcloud.com ad001.mtk.lo
04spiistorug1jq5o6o0.appsync-api.us-west-2.avsvmcloud.com isi
060mpkprgdk087ebcr1jov0te2h.appsync-api.us-east-1.avsvmcloud.com belkin.com
06o0865eliou4t0btvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com gncu.local
07605jn8l36uranbtvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com gncu.local
07q2aghbohp4bncce6vi0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com csnt.princegeor
07ttndaugjrj4pcbtvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com gncu.local
08amtsejd02kobtb6h07ts2fd0b12eu1.appsync-api.eu-west-1.avsvmcloud.com sm-group.local
0b0fbhp20mdsv4scwo11r0oirssrc2vv.appsync-api.us-east-2.avsvmcloud.com ville.terrebonn
[…]

The beauty of this approach is that passive DNS data can be used in order to reliably identify the victims.
This is great news for national CERTs, because they typically have readily access to passive DNS data and can use
the decoded domain names in order to identify and reach out to victims in their country.

After using the python script provided by ReadDrip Team I noticed two things:

  1. The leaked domain names were internal domain names used on the victim organizations’ corporate networks.
    Many of the domains were using the “.local” suffix.
  2. Most of the extracted domains were truncated to around 15 bytes,
    which make it difficult to identify the victim organization.

Truncated Domains Fragmented Domains

I later learned that what seemed to be truncated domains were actually fragmented domains,
where long domain names would be split into multiple queries.
This revelation turns the output from RedDrip’s python tool into an interesting domain name puzzle.
At this point I decided to take a closer look at the malicious SolarWinds update I had downloaded
from SolarWind’s website a few days ago —
yes, that’s right the malicious software update
“SolarWinds-Core-v2019.4.5220-Hotfix5.msp” (MD5: 02af7cec58b9a5da1c542b5a32151ba1)
was actually available for download from SolarWinds’ website long after they had been notified about their software being backdoored!

As an example, lets’ take a closer look at this DNS query from John Bambenek’s passive DNS data:
r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com

This query can be broken down into three parts:

  1. r1qshoj05ji05ac6 : What is encoded here???
  2. eoip02jovt6i2v0c : Base32 encoded string “city.kingston.”
  3. .appsync-api.us-west-2.avsvmcloud.com : DNS trailer without encoded data

So, which “City of Kingston”, or “Kingston City”,
should we contact to let them know that they have installed a trojanized SolarWinds update?
Is it
Kingston Jamaica,
City of Kingston NY USA,
City of Kingston Ontario Canada,
Kingston City Tennessee USA or
City of Kingston Australia?

After analyzing the “SolarWinds.Orion.Core.BusinessLayer.dll” file
(MD5: b91ce2fa41029f6955bff20079468448)

from the “SolarWinds-Core-v2019.4.5220-Hotfix5.msp” I learned that the initial “r1qshoj05ji05ac6” string is representing a unique “GUID” value for the infected machine.
This GUID is generated by calculating an MD5 hash of the MAC address of the first active non-Loopback network interface,
the domain name and the “MachineGuid” registry key value in “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography”.

This MD5 hash is then squeezed into a tiny 8 byte array by XOR’ing overlapping bytes.

The “CreateSecureString” function in the trojanized SolarWinds update then “encrypts”
this hash using XOR with a random key, which is prepended to the data.
The XOR key and the XOR’ed data is then finally base32 encoded into what makes up the first part of the subdomain to query for.
Don’t let the SUNBURST source code below fool you, it is actually using base32 encoding with a custom alphabet even though the function is called “Base64Encode”;

CreateSecureString function in SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer.CryptoHelperImage: SUNBURST source code generates a random value between 1 and 127 as XOR key

Each DNS lookup from an infected machine will query for a unique subdomain because a new XOR key will be generated for each request.
Luckily for us, this XOR key is provided in each request, so we can use it in order to “decrypt” the subdomain and get the original 8 bytes derived from the MAC+domain+MachineGuid MD5 hash.

The output from my “SunburstDomainDecoder.exe” tool will print the “decrypted” 8 byte GUID in the first column,
and the decoded domain segment in the second column.
Each DNS query line read from standard input will generate a “GUID Hostname” line on standard output.


SunburstDomainDecoder.exe < uniq-hostnames.txt

0546E758E92CB9DA .gh
BD6DEFBBE9FEA3A9 ad001.mtk.lo
474AB2A72CDCCB32 g9l3
6393DF26AB6B759E x9qpujz
8B15485D27C2C293 jsyl
3319D107DF738F85 isi
74987897EB1F8316 zl3z
3ED2E979D53B2523 belkin.com
4225A5C345C1FC8E gncu.local
[…]

The tool then finishes off by printing out the fragmented domain segments grouped together by their GUID values:


[…] F9A9387F7D252842 on.ca
F9A9387F7D252842 city.kingston.

5B7A361C77573256 us
5B7A361C77573256 dmv.state.nv.

07C93D55749F584B 7lmwqsixja9cqy
07C93D55749F584B .crqahx7k_ginx

F59BBAACBA3493C0 on.ca
F59BBAACBA3493C0 dufferincounty.

1D71011E992C3D68 central.pima.g
1D71011E992C3D68 ov

8FC146F8A376BF6A .japteo7flaptnu
8FC146F8A376BF6A nde5gaefm

CF611B275B81685B .uonie88ujqqi2p
CF611B275B81685B 7l

With this help we now know that it was “city.kingston.on.ca”, (City of Kingston, Ontario, Canada) who had installed a trojanized SolarWinds update.

Download SunburstDomainDecoder

The C# source code and a compiled Windows binary for SunburstDomainDecoder is available here:
https://www.netresec.com/files/SunburstDomainDecoder.zip

Creative Commons CC-BY

The source code and Windows binary is shared under a Creative Commons CC-BY license,
which means that you are free to:

  • Share : copy and redistribute the material in any medium or format
  • Adapt : remix, transform, and build upon the material for any purpose, even commercially.

Provided that you give appropriate credit, provide a link to the license, and indicate if changes were made.

Running SunburstDomainDecoder on Linux/MacOS

Wanna run SunburstDomainDecoder.exe but not in Windows?
No problems, the tool runs perfectly fine in
Mono.
Another option is to build SunburstDomainDecoder.cs as a .NET core project in Linux.

.NET Reversing

Would you like to verify my findings or learn more about .NET reverse engineering?
Cool, then I’d recommend that you download dnSpy in order to reverse engineer the SUNBURST .NET DLL (which can be extracted from the msp installer with 7zip).
Or you can have a look at the already extracted OrionImprovementBusinessLayer.cs on GitHub.

Facebook Share on Facebook  Twitter Tweet  Reddit Submit to reddit.com


*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS