{ "id": "949bb7e6-f3d4-4ab4-b87b-25602f0a3f59", "created_at": "2026-04-06T00:21:01.467521Z", "updated_at": "2026-04-10T03:37:36.876428Z", "deleted_at": null, "sha1_hash": "4fbe010ac3ffd4cc2997cbf331a75b3497a971b6", "title": "SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44249, "plain_text": "SolarWinds: How a Rare DGA Helped Attacker Communications\r\nFly Under the Radar\r\nBy About the Author\r\nArchived: 2026-04-05 13:12:00 UTC\r\nIn the weeks since news of the SolarWinds attacks broke, we’ve continued our analysis into the tools used by the\r\nattackers. One of the most interesting things we’ve seen is the way the attackers configured their malware in order\r\nto contact a command and control (C\u0026C) server via DNS communications. It’s a technique that is rarely used, but\r\nthere have been some reports of other APT groups such as Crambus (aka Oilrig) using it previously.\r\nSunburst (Backdoor.Sunburst), the malware which was used to Trojanize the SolarWinds Orion software, uses a\r\ndomain generation algorithm (DGA) to generate domain names to contact for C\u0026C purposes. However, unlike\r\nmost DGAs, this DGA does not just randomly generate characters. Instead, information is encoded into the text\r\nthat makes up the generated domain names. By doing so, initial C\u0026C actually happens via DNS, which provides a\r\nstealthier level of communications.\r\nFor each infected computer, Sunburst generates a unique ID, referred to as a userid. The userid is made up of the\r\nfirst active MAC address that is not the loopback address, concatenated with the Windows Domain name of the\r\ncomputer, and then concatenated with the Windows installation UUID, a randomly generated value at Windows\r\ninstallation time stored in HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid. These three values are\r\nthen MD5 hashed and the first 64 bits are XOR’d with the last 64 bits, resulting in a unique 64-bit userid.\r\nBecause multiple DNS requests will have to be made to transmit all payload information, the attackers require a\r\nunique ID to know from which computer the information is coming from. DNS is a distributed protocol, meaning\r\nthe infected computer does not contact the attacker’s C\u0026C server directly, but instead the DNS request is passed\r\nthrough multiple intermediaries before reaching the attacker DNS server. Only by including the userid within the\r\nDNS request will the attackers be able to combine the multiple requests.\r\nThe DNS lookup will be in one of the following forms:\r\n\u003cencoded information\u003e.appsync-api.eu-west-1.avsvmcloud.com\r\n\u003cencoded information\u003e.appsync-api.us-west-2.avsvmcloud.com\r\n\u003cencoded information\u003e.appsync-api.us-east-1.avsvmcloud.com\r\n\u003cencoded information\u003e.appsync-api.us-east-2.avsvmcloud.com\r\nThe encoded information will be in one of two forms providing the attackers either the Windows domain name of\r\nthe infected organization or security product statuses and feedback on the infected machine.\r\nWindows Domain Name Payload\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga\r\nPage 1 of 3\n\nInitially, after Sunburst checks for or bypasses security tools and products, the first DNS lookup will occur\r\ncontaining the infected computer’s Windows domain name or a portion thereof, encoded into the C\u0026C domain.\r\nThe Windows domain is usually a human-readable string representing the name of the organization the machine\r\nbelongs to, e.g. AcmeA1Corp.\r\nThe DGA will start by prepending the aforementioned userid with a randomly chosen key byte between 0x81 and\r\n0xFE followed by the userid XOR’d with the key byte. These nine bytes are then encoded in a fashion similar to\r\nBase64, resulting in 15 characters.\r\nThis string of characters is then followed by the Windows domain name, encoded. Because Windows domain\r\nnames can be up to 253 characters long, Sunburst chooses to segment the Windows domain names into 14\r\ncharacter chunks preceded by the chunk number (where the first chunk number is 0). Windows domain names\r\nlonger than 14 characters will thus require more than one DNS lookup to provide the entire Windows domain\r\nname.\r\nSunburst will also resend previously sent chunks if an error was encountered or, under certain error conditions, set\r\nthe chunk number to a negative one. The segment chunk number and the Windows domain name are both encoded\r\nseparately and appended to the encoded userid. These elements form the subdomain of the domain. This domain is\r\nqueried via DNS, which results in this encoded information reaching the attacker’s DNS server. The attacker can\r\nthen decode the information and reply with further instructions, which will be covered in a future blog.\r\nSunburst does not automatically generate multiple DNS queries in order to send the entire Windows domain name.\r\nWhether Sunburst will send the remaining 14-character segments depends on the response received from the\r\ninitial DNS query. Because Sunburst was delivered via a supply chain attack, many systems that are not of interest\r\nwill be infected. By encoding the first 14 characters of the Windows domain name into the first DNS query, the\r\nattackers are able to triage infections and only mount second-state attacks on systems of interest - those that have\r\nWindows domain names that match organizations they wish to target.\r\nSecurity Product Status and Feedback Payload\r\nDepending on the response to the first DNS lookup, a second DNS lookup may occur that encodes the status of\r\ninstalled security products on the system and information on whether the DNS communication has been\r\nsuccessful.\r\nFirst, the userid is XOR’d by the third and second bytes of a timestamp value described below in an alternating\r\nfashion before being XOR’d by a randomly chosen key byte between 0x01 and 0x7E that is then prepended to the\r\nuserid. The first byte thus provides not only the key byte, but informs the attackers if the remaining content will\r\ncontain the Windows domain name payload (key byte is between 0x81 and 0xFE) or the security product status\r\nand feedback payload (key byte is between 0x01 and 0x7E).\r\nAfter the userid, a nibble (half a byte) is used to specify if the security payload information has content (nibble is\r\nset to 2) or is blank (nibble is set to 1). This is followed by a timestamp in UTC of when the DNS query was sent,\r\ngranular to 30-minute increments. The last bit of the timestamp is set to a bit flag representing whether the\r\nprevious DNS response successfully contained partial or full instructions to start the secondary HTTP\r\ncommunication channel. This may have been designed by the attackers as a feedback mechanism to ensure the\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga\r\nPage 2 of 3\n\nDNS communication mechanism is working before sending the full HTTP communication channel details and, in\r\nthe case of full details, a signal that the HTTP communication should have already started. After the timestamp,\r\nthe security product status payload is optionally provided if select security product services were found as\r\nrunning.\r\nThe two bytes contain a bitmask that encodes information on whether any of the following security products were\r\nnot found, or found running and/or subsequently disabled and stopped:\r\nCrowdStrike\r\nCarbon Black\r\nFireEye\r\nESET\r\nF-Secure\r\nMicrosoft Defender\r\nThe userid, timestamp, feedback bit, and optional security product data are then encoded into text as the\r\nsubdomain of a DNS query that is sent to the attackers.\r\nThe responses to these DNS queries may then contain control information for the threat to terminate or launch a\r\nsecondary HTTP communication channel, something that we plan to cover in a subsequent blog.\r\nProtection/Mitigation\r\nTools associated with these attacks will be detected and blocked on machines running Symantec Endpoint\r\nproducts.\r\nFile-based protection:\r\nBackdoor.Sunburst\r\nBackdoor.Sunburst!gen1\r\nBackdoor.SuperNova\r\nBackdoor.Teardrop\r\nNetwork-based protection:\r\nSystem Infected: Sunburst Malware Activity\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga" ], "report_names": [ "solarwinds-unique-dga" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434861, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fbe010ac3ffd4cc2997cbf331a75b3497a971b6.pdf", "text": "https://archive.orkl.eu/4fbe010ac3ffd4cc2997cbf331a75b3497a971b6.txt", "img": "https://archive.orkl.eu/4fbe010ac3ffd4cc2997cbf331a75b3497a971b6.jpg" } }