Threat Hunter TeamSymantec
In our most recent blog on the SolarWinds attacks, we examined the domain generation algorithm (DGA) used to initiate contact with the attackers’ command and control (C&C) servers. The control flow, what happens after that contact is made, is also noteworthy.
The control flow of Sunburst varies depending on commands received from the attacker. However, the general control flow can be reconstructed in order to understand how communications would have progressed on machines that were of interest to the attackers.
As described in our previous blog, two types of DNS requests are used for initial communications, and both receive DNS replies. The attackers use two fields in the DNS replies: “A records” for control flow and CNAME to hold data on a secondary C&C server.
IP addresses as commands
Normally, when querying DNS, a hostname string is provided to be translated into a numeric IP address, e.g., google.com may translate into 142.250.72.238. The IP address is held in the A record of the response. Sunburst parses the A record for IP addresses, but they are not used as IP addresses at all, but instead are actually triggers for different malware behavior. Instead of the attackers selecting random IP addresses to trigger different behaviors, they have selected IP address ranges belonging to Google, Amazon, and Microsoft. These are possibly chosen in order to reduce the chances of detection. Again, these IPs are not used as IP addresses in any way and the actual computer systems with these IP addresses are not contacted by the malware.
The IP address value received in the DNS reply represents one of five behaviors depending on the current state:
Continue sending additional Windows domain name chunks
Send product security st ..
Support the originator by clicking the read the rest link below.
