Finding Targeted SUNBURST Victims with pDNS


Our SunburstDomainDecoder tool can now be used to identify
SUNBURST victims that have been explicitly targeted by the attackers.
The only input needed is passive DNS (pDNS) data for avsvmcloud.com subdomains.

Companies and organizations that have installed trojanized a SolarWinds Orion
update containing the SUBURST backdoor will send DNS queries for seemingly random subdomains of avsvmcloud.com.
Some of these DNS queries actually contain the victim’s internal AD domain encoded into the subdomain,
as explained in our blog post
Reassembling Victim Domain Fragments from SUNBURST DNS.

Three Stages of SUNBURST Backdoor Operation

Most SUNBURST victims were luckily not targeted by the attackers.
This means that the backdoor never made it past “STAGE1” of the infection process.
Nevertheless, the attackers did choose to proceed to “STAGE2” with some victims.
As explained in FireEye’s blog post
SUNBURST Additional Technical Details,
the “C2 coordinator” can proceed to the next stage by responding with a DNS A record
pointing to an IP address within any of these three ranges:

  • 18.130.0.0/16
  • 99.79.0.0/16
  • 184.72.0.0/15

Note: “STAGE2” is referred to as “associated mode” in FireEye’s blog post.

SUNBURST backdoors that have entered STAGE2 will allow CNAME records
in DNS responses to be used as new C2 domains.

Sunburst stages 1 to 3 (passive, associated and active)

We have discovered that the SUNBURST backdoor actually uses a single bit in the
queried avsvmcloud.com subdomain in order to flag that it has entered STAGE2 and is
accepting new C2 domains in CNAME records.
This bit is called
flag,
ext or
dnssec
in the malicious SUNBURST implant and can be extracted from
DNS queries that have an encoded timestamp,
such as those indicating which security products that are installed.

Detecting STAGE2 DNS Requests

Our SunburstDomainDecoder tool
has now been updated to include a “STAGE2” tag in the output for DNS queries containing this stage 2 flag.
This means that organizations like national CERTs,
who perform incident response coordination and victim notification,
can now use SunburstDomainDecoder in order to identify and notify targeted SUNBURST victims that have
entered STAGE2.

Here’s the output we get when feeding SunburstDomainDecoder with Bambenek’s
uniq-hostnames.txt
passive DNS data and only displaying lines containing “STAGE2”:


SunburstDomainDecoder.exe < uniq-hostnames.txt | findstr STAGE2

22334A7227544B1E 2020-09-29T04:00:00.0000000Z,STAGE2 5qbtj04rcbp3tiq8bo6t
FC07EB59E028D3EE 2020-06-13T09:00:00.0000000Z,STAGE2 6a57jk2ba1d9keg15cbg
1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99
F90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn
DB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et
3C327147876E6EA4 2020-07-22T17:00:00.0000000Z,STAGE2 k5kcubuassl3alrf7gm3
3C327147876E6EA4 2020-07-23T18:30:00.0000000Z,STAGE2 mhdosoksaccf9sni9icp
1D71011E992C3D68 central.pima.gov,STAGE2
DB7DE5B93573A3F7 coxnet.cox.com,STAGE2,WindowsDefender
F90BDDB47E495629 central.pima.gov,STAGE2

Most of these subdomains are listed in FireEye’s Indicator_Release_NBIs.csv file
as having CNAME pointers to other SUNBURST C2 domains like:
freescanonline[.]com,
deftsecurity[.]com and
thedoccloud[.]com.
But the first domain, with GUID 22334A7227544B1E, was actually not part of FireEye’s IOC data.

Even more STAGE2 domains and GUID values can be found by analyzing other passive DNS resources, such as
this passive DNS dump on pastebin
by Rohit Bansal.


curl -s https://pastebin.com/raw/6EDgCKxd | SunburstDomainDecoder.exe | findstr STAGE2

E258332529826721 2020-07-18T05:00:00.0000000Z,STAGE2 1dbecfd99ku6fi2e5fjb
2039AFE13E5307A1 2020-05-30T14:30:00.0000000Z,STAGE2 4n4vte5gmor7j9lpegsf
22334A7227544B1E 2020-09-29T04:00:00.0000000Z,STAGE2 5qbtj04rcbp3tiq8bo6t
FC07EB59E028D3EE 2020-06-13T09:00:00.0000000Z,STAGE2 6a57jk2ba1d9keg15cbg
1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99
1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99
F90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn
F90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn
DB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et
DB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et
3C327147876E6EA4 2020-07-23T18:30:00.0000000Z,STAGE2 mhdosoksaccf9sni9icp

After removing the domains already present in FireEye’s IOC and a couple of bogus ones we’re left with the following
FQDN’s that have been requested by SUNBURST backdoors in STAGE2:

  • 1dbecfd99ku6fi2e5fjb.appsync-api.us-east-1.avsvmcloud.com
  • 4n4vte5gmor7j9lpegsf.appsync-api.eu-west-1.avsvmcloud.com
  • 5qbtj04rcbp3tiq8bo6t.appsync-api.us-east-1.avsvmcloud.com

Companies and organizations with access to more passive DNS resources will hopefully be able to use SunburstDomainDecoder to identify additional
targeted SUNBURST victims that have progressed to STAGE2.

Download SunburstDomainDecoder

Our tool SunburstDomainDecoder is released under a Creative Commons CC-BY license,
and can be downloaded here:
https://www.netresec.com/files/SunburstDomainDecoder.zip

You can also read more about SunburstDomainDecoder in our blog post
Reassembling Victim Domain Fragments from SUNBURST DNS.

Facebook Share on Facebook  Twitter Tweet  Reddit Submit to reddit.com

*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS