Threat Hunter TeamSymantec
In the weeks since news of the SolarWinds attacks broke, we’ve continued our analysis into the tools used by the attackers. One of the most interesting things we’ve seen is the way the attackers configured their malware in order to contact a command and control (C&C) server via DNS communications. It’s a technique that is rarely used, but there have been some reports of other APT groups such as Crambus (aka Oilrig) using it previously.
Sunburst (Backdoor.Sunburst), the malware which was used to Trojanize the SolarWinds Orion software, uses a domain generation algorithm (DGA) to generate domain names to contact for C&C purposes. However, unlike most DGAs, this DGA does not just randomly generate characters. Instead, information is encoded into the text that makes up the generated domain names. By doing so, initial C&C actually happens via DNS, which provides a stealthier level of communications.
For each infected computer, Sunburst generates a unique ID, referred to as a userid. The userid is made up of the first active MAC address that is not the loopback address, concatenated with the Windows Domain name of the computer, and then concatenated with the Windows installation UUID, a randomly generated value at Windows installation time stored in HKLMSOFTWAREMicrosoftCryptographyMachineGuid. These three values are then MD5 hashed and the first 64 bits are XOR’d with the last 64 bits, resulting in a unique 64-bit userid.
Because multiple DNS requests will have to be made to transmit all payload information, the attackers require a unique ID to know from which computer the information is coming from. DNS is a distributed protocol, meaning the infected computer does not contact the attacker’s C&C server directly, but instead the ..
Support the originator by clicking the read the rest link below.
