Kaspersky shares initial analysis into the Sunburst malware, publishes decoder to help targeted users
December 2020 by Kaspersky
Several days ago, a newly discovered supply chain attack was reported. An unknown attacker, referred to as UNC2452 or DarkHalo, planted a backdoor in the SolarWinds Orion IT software, which was downloaded by over 18,000 SolarWinds customers. Kaspersky researchers have examined this backdoor, which comes in the form of a .NET module, that proved to have some interesting and rather unique features.
According to the experts, the supply chain attack was designed in a very professional way with a clear focus on staying undetected for as long as possible. For instance, before making the first internet connection to its communication and control servers, the Sunburst malware lies dormant for a long period, of up to 2 weeks, which prevents easy detection of this behaviour in sandboxes. This explains why this attack was so hard to spot.
In the initial phases, the Sunburst communicates with the C&C server by sending encoded DNS (Domain Name System) requests. These requests contain information about the infected computer to let the attacker know whether it is worth further developing the infection or not.
Using the fact that DNS requests generated by Sunburst encode some of the target’s information, as well as publicly available scripts to decode the DNS requests, Kaspersky researchers created their own tools to further analyse over 1700 DNS records involved in the incident. That led to more than 1000 unique target name parts and over 900 unique user IDs. Though this might seem like a large number, it would appear the attackers were interested only in what they considered high value targets. Out of over 1000 target names, two of them appeared to be special but couldn’t be easily decoded, akin to a kind of cryptographic puzzle.
The analysis has revealed that three of the special DNS requests that received "CNAME" replies, indicating a high value target, can be decoded into two domain names that belong to a government organisation and a telecommunications company in the US.
The company has already notified the two organisations, offering its support to discover further malicious activities, if needed.
“We spent the past days checking our own telemetry for signs of this attack, writing additional detections and making sure that our users are protected. At the moment, we identified approximately 100 customers who downloaded the trojanised package containing the Sunburst backdoor. Further investigation is ongoing, and we will continue to update with our findings,” comments Costin Raiu, head of Kaspersky’s Global Research and Analysis team.
In order to help the community potentially identify other interesting targets for the attackers, Kaspersky published the source code for the decoder: https://github.com/2igosha/sunburst_dga