DOWNDLOAD

Sax2 Intrusion Prevention System

  • Prevent hacker & virus attacks
  • Securing your network & business
Read More…
Free Download

Identifying SUNBURST Infection Stages with Passive DNS: SunburstDomainDecoder Tool Update

AndyHuang

Contents hide
Overview
Three Operational Stages of the SUBURST Backdoor
Detecting Second Stage Infection DNS Requests
Download SunburstDomainDecoder
Related posts:

Overview

The SunburstDomainDecoder tool can now identify affected users of the SUNBURST backdoor. By providing the tool with passive DNS (pDNS) data targeting the avsvmcloud.com subdomain, users can determine if they have been compromised by the SUNBURST infection.

If computers and devices within a company or organization had the SolarWinds Orion update containing the SUBURST backdoor installed, the devices would send seemingly random DNS query requests to the avsvmcloud.com subdomain. Some of these DNS requests include the internal AD domain of the target devices, encoded within the subdomain.

Three Operational Stages of the SUBURST Backdoor

Most victims of the SUBURST backdoor were fortunate because attackers did not pursue an actual attack against them. This means that most SUBURST backdoors never advanced beyond the first phase of the infection process. Nevertheless, attackers might proceed to the second stage of infection for some targeted users. In this stage, the attackers would utilize a “C2 coordinator” and advance to the next phase by responding with a DNS A record within the following IP address range:

18.130.0.0/16
99.79.0.0/16
184.72.0.0/15

The SUNBURST backdoor that has reached the second stage of infection allows the CNAME record in the DNS response to serve as a new C2 domain.

passive DNS

Our research shows that the SUNBURST backdoor uses a bit in the subdomain requests to avsvmcloud.com to mark it as having progressed to the second stage of infection and is receiving a new C2 domain from the CNAME record. In the malicious SUNBURST implants, this bit is referred to as flag, ext, or dnssec, and this data can be extracted from DNS queries with encoded timestamps, such as those indicating which security products are installed.

Detecting Second Stage Infection DNS Requests

Our SunburstDomainDecoder tool has now been updated to include a “STAGE2” label in the output to flag DNS queries that contain the second stage flag. This means that national organizations, such as CERTs, which handle security incident response coordination and customer notifications, can now use SunburstDomainDecoder to identify and notify targeted SUNBURST victims that have progressed to the second stage of infection.

In the example below, we use Bambenek’s uniq-hostnames.txt passive DNS data to run SunburstDomainDecoder and display only entries that include “STAGE2”:

SunburstDomainDecoder.exe < uniq-hostnames.txt | findstr STAGE2
22334A7227544B1E 2020-09-29T04:00:00.0000000Z,STAGE2 5qbtj04rcbp3tiq8bo6t
FC07EB59E028D3EE 2020-06-13T09:00:00.0000000Z,STAGE2 6a57jk2ba1d9keg15cbg
1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99
F90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn
DB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et
3C327147876E6EA4 2020-07-22T17:00:00.0000000Z,STAGE2 k5kcubuassl3alrf7gm3
3C327147876E6EA4 2020-07-23T18:30:00.0000000Z,STAGE2 mhdosoksaccf9sni9icp
1D71011E992C3D68 central.pima.gov,STAGE2
DB7DE5B93573A3F7 coxnet.cox.com,STAGE2,WindowsDefender
F90BDDB47E495629 central.pima.gov,STAGE2

Most of these subdomains are recorded in FireEye’s Indicator_Release_NBIs.csv file, which contains CNAME pointers to other SUNBURST C2 domains like freescanonline[.]com, deftsecurity[.]com, and thedoccloud[.]com, among others. However, the first domain (GUID 22334A7227544B1E) is not part of FireEye’s intrusion indicator data.

By analyzing other passive DNS resources (e.g., Rohit Bansal’s pastebin passive DNS dump), we can identify more STAGE2 domains and GUIDs.

curl -s https://pastebin.com/raw/6EDgCKxd | SunburstDomainDecoder.exe | findstr STAGE2

E258332529826721 2020-07-18T05:00:00.0000000Z,STAGE2 1dbecfd99ku6fi2e5fjb

2039AFE13E5307A1 2020-05-30T14:30:00.0000000Z,STAGE2 4n4vte5gmor7j9lpegsf

22334A7227544B1E 2020-09-29T04:00:00.0000000Z,STAGE2 5qbtj04rcbp3tiq8bo6t

FC07EB59E028D3EE 2020-06-13T09:00:00.0000000Z,STAGE2 6a57jk2ba1d9keg15cbg

1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99

1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99

F90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn

F90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn

DB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et

DB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et

3C327147876E6EA4 2020-07-23T18:30:00.0000000Z,STAGE2 mhdosoksaccf9sni9icp

After removing domains that are already present in FireEye’s IoC file and a few spoofed domains, we’ve determined the following FQDNs that the SUNBURST backdoor requests in STAGE2:

1dbecfd99ku6fi2e5fjb.appsync-api.us-east-1.avsvmcloud.com
4n4vte5gmor7j9lpegsf.appsync-api.eu-west-1.avsvmcloud.com
5qbtj04rcbp3tiq8bo6t.appsync-api.us-east-1.avsvmcloud.com

Organizations with access to additional passive DNS resources can use SunburstDomainDecoder to identify more victims that have advanced to the second stage.

Download SunburstDomainDecoder

[Click the link at the bottom to read the original text] to download and use SunburstDomainDecoder.

dnsgui

Related posts:

  1. How to Avoid Phishing Scams
  2. Block bad ICMP messages to Prevent ICMP attacks
  3. DNS spoofing
  4. How to Prevent Denial of Service Attack (DDoS Attack)