# SolarWinds Attack: Sunburst's DLL Technical Analysis **notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html** Fareed Fauzi Posted by Fareed Fauzi ## Introduction In late 2020, a sophisticated SolarWinds attack that hit organizations through the supply chain has recently been disclosed by various sources. This was done via a compromised version of SolarWinds Orion which we called the backdoor with the name “Sunburst”. Once the update (include the malicious DLL) is installed, the malicious DLL will be imported and loaded by the legitimate SolarWinds.BusinessLayerHost.exe executable. Sunburst is a trojan version of a digitally signed SolarWinds Orion plugin named **_SolarWinds.Orion.Core.BusinessLayer.dll. The malicious DLL contains a backdoor code used to initiate a_** function that will do the communication with the victim’s system via HTTP to the attacker’s command and control server [1]. The malicious code initiation will give full access to the victim which may retrieve and execute commands that instruct the backdoor to transfer files, remote execution, profile victim’s system information, and complete control over the affected system. ## Technical Analysis **Name: SolarWinds.Orion.Core.BusinessLayer.dll** **MD5: b91ce2fa41029f6955bff20079468448** **File type: Dynamic Link Library** The malicious function code that was being patched in the compromised DLL by the attacker resides in OrionImprovementBusinessLayer.Initialize which all malicious subfunctions were started right here. The function Initialize was invoked at line 119 by the parent function RefreshInternal as shown in Figure 1 below. ----- Figure 1: Invoking of Initialize function In the Initialize method in Figure 2 below, we can see that the code trying to check if the current process executable is solarwinds.businesslayerhost where the hash of the current process being generated by the function GetHash. Figure 2: Check if the current process is solarwinds.businesslayerhost The code use function GetHash to check the hash of the process. We will see this GetHash function often after this as the attacker obfuscate those important strings. Deep diving into the code of the GetHash will give us ideas how things get going. Looking into the subroutine GetHash, the function uses Fowler–Noll–Vo [hash (FNV-1a) + XOR algorithm which we can refer to in Wikipedia. Figures 3 and 4 below comparing the](https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function) algorithm being used. ----- Figure 3: GetHash function Figure 3: Wikipedia's FNV-1a explained The next thing that needs to be explained in the Initialize function is at lines 116 to 118 in figure 4 below. At these lines, the malware waits about two weeks/12 days before it executes to avoid any suspicious activity detection. ----- Figure 4: The malware waits for about 2 weeks to execute After about 2 weeks, the malware starts to execute the next line where the malware creates the named pipe **_583da945-62af-10e8-4902-a8f205c72b2e to ensure only one instance of the backdoor is running._** Figure 5: The sample creates named pipe In figure 5, after creates the named pipe, the sample check for modes of operation as described by FireEye. If the mode return "Truncate", the malware will be terminate and exit. ----- Figure 6: Makes some delay execution After the truncate mode being checked and pass, the malware then will delay the execution of the next line about 30min to 120min. Figure 7: Sunburst check for domain-joined In figure 7, Sunburst also checks if the victim is joined to an Active Directory domain. Those blacklisted AD domains as follows: Figure 8: Hashes of blacklisted domain The next lines of codes will be executed if the current victim does not join the blacklisted AD domains. These encoded strings have been brute-forced by FireEye to determine what are the decoded result of these encoded strings. Refer [SolarWinds/SunBurst FNV-1a-XOR hash founds analysis spreadsheet shared by FireEye.](https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/edit#gid=0) 1. swdev.local 2. emea.sales 3. pci.local 4. apac.lab 5. swdev.dmz ----- 6. cork.lab 7. saas.swi 8. dmz.local 9. lab.local 10. dev.local 11. lab.rio 12. lab.brno 13. lab.na 14. test 15. solarwinds The sample then performs another checking functionality to generate the user ID of the current victim as shown in figures 8 and 9. Figure 8: GetOrCreateUserID call Figure 9: GetOrCreateUserID code In figure 9, the user ID of the victim is built based on 3 values: 1. Network interface MAC address that is up and not a loopback device from the ReadDeviceInfo function 2. The domain name that contains in variable domain4 3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid value After that, the user ID is encoded with the XOR MD5 of the value at line 424 to 434 shown in figure 9. ----- Figure 10: Method Update being invoke The backdoor then invokes method Update which main part of the backdoor resides in here. Figure 11: Snippet code of the Update method In the first part of the code, as shown in Figure 11, the backdoor begins the domain algorithm generation (DGA) things using class CryptoHelper. ----- Figure 12: Content of CryptoHelper Sunburst victims, who have been installed and infected by one of the malicious SolarWinds Orion software updates, will query for domain names. The part of the malicious code of the software update will construct and resolve a subdomain of avsvmcloud.com. The code generates those domain names by taking the victim's User ID and computer’s domain name and encoded it with a simple substitution cipher. These encoded strings of subdomains are then being concatenated with one of the following domains to create the hostname to resolve: **_.appsync-api.eu-west-1[.]avsvmcloud[.]com_** **_.appsync-api.us-west-2[.]avsvmcloud[.]com_** **_.appsync-api.us-east-1[.]avsvmcloud[.]com_** **_.appsync-api.us-east-2[.]avsvmcloud[.]com_** The example of the generated and encoded C2 domain name as follows: **_02m6hcopd17p6h450gt3.appsync-api.us-west-2.avsvmcloud.com_** **_06o0865eliou4t0btvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com_** **_04spiistorug1jq5o6o0.appsync-api.us-west-2.avsvmcloud.com_** **_060mpkprgdk087ebcr1jov0te2h.appsync-api.us-east-1.avsvmcloud.com_** The subdomains highlighted above are the encoded User ID and computer’s domain name which can be [decoded using tools from Netresec.](https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS) After generated the domain, Sunburst continues invoking another important method called UpdateNotification. ----- Figure 13: UpdateNotification invoked. Figure 14: Check is there any blacklisted process running In this method, the backdoor check for the blacklisted processes running based on Figure 14. If there is a blacklisted process running, the backdoor will exit the code. If we deep dive into the method, we can see three important sub-method which are SearchAssemblies, SearchServices, and SearchConfiguration. Figure 15: Identify AV, EDR, tools, and drivers The backdoor uses several blocklists to identify anti-virus and endpoint detection response processes, drivers, and services. It also checks for any forensic and malware analysis tools in these three functions. **SearchAssemblies = Processes of malware analysis and forensics tools** _SearchServices = Anti-Virus and EDR services_ **_SearchConfiguration = Anti-Virus and EDR drivers_** ----- Below figures (Figure 16-19) show the hashes of the blacklisted process of malware analysis and forensics tools, AV and EDR services, and drivers: Figure 16: The processes hashes included in the field assemblyTimeStamps Figure 17: List of the blacklisted malware analysis and forensics tools hashes. ----- Figure 16: The services hashes included in the field svcList Figure 17: List of the blacklisted AV and EDR services hashes. ----- Figure 18: The drivers hashes included in the field configTimeStamps The backdoor retrieves all the driver listing via the WMI query Select * From Win32_SystemDriver as shown in figure 18. The drivers hashes are included in the field configTimeStamps. Figure 19: List of the blacklisted AV and EDR drivers hashes. [All the decoded version of the encoded hashes can be checked here. Thanks to the FireEye team!](https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/edit#gid=0) ----- Figure 20: Bruteforced blacklist hashes spreadsheet Next, in the while loop, the sample check for the processes, services, and drivers again. If the victims do not have the indicator of the blacklisted processes, services, and drivers, the backdoor continues to execute the following codes. Figure 21: Check for the process again Continue investigation of the code at line 222 as we see the backdoor trying to get the AdressFamily of the victim and decide its decision in the switch case after that shown in figure 22. ----- Figure 22: Switch case of socket AddressFamily Netbios The Command and Control beaconing is starting from here. If the AddressFamily is NetBios the backdoor will either initiate the C2 beaconing or continue the command and control beaconing which we can see at line 248 in Figure 22 where method Initialize being invoked. ----- Figure 23: C2 things in Initialize method Supported commands for the C2 can be view in the JobEngine field as shown as follow in figure 24. ----- Figure 24: JobEngine contains the supported command of the Command and Control Once the Sunburst is gained access to the victim machine, depending on the objectives of the actor, any malicious actions and activities can be executed like stealing sensitive data, source codes, etc. ## Conclusion The cyberattack of this campaign is a highly skilled adversary. The threat actors behind this cyber attack campaign got access to numerous organizations around the world including Malaysia's organizations. Every organization in the world that using SolarWind’s Orion IT monitoring and management software must be alerted with this campaign to take precautions for this matter as the attack still ongoing right now. ## IOC The following SHA256 hashes are associated with Sunburst DLL files: e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d ----- a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8 b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666 20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9 0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589 cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6 ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d 92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690 a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 The following domain names are associated with Sunburst cyber-attack campaign: avsvmcloud[.]com databasegalore[.]com deftsecurity[.]com digitalcollege[.]org freescanonline[.]com globalnetworkissues[.]com highdatabase[.]com incomeupdate[.]com kubecloud[.]com lcomputers[.]com mobilnweb[.]com panhardware[.]com seobundlekit[.]com solartrackingsystem[.]net thedoccloud[.]com virtualwebdata[.]com webcodez[.]com websitetheme[.]com zupertech[.]com ## Reference 1. https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html 2. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply chain-compromises-with-sunburst-backdoor.html 3. https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/edit#gid=0 ----- 4. https://labs.sentinelone.com/solarwinds sunburst backdoor inside the stealthy apt campaign/ 5. Colin Hardy videos on Sunburst on Youtube -----