SolarWinds Attack: Sunburst's DLL Technical Analysis
Posted by Fareed Fauzi
In late 2020, a sophisticated SolarWinds attack that hit organizations through the supply chain has recently been disclosed by various sources. This was done via a compromised version of SolarWinds Orion which we called the backdoor with the name “Sunburst”. Once the update (include the malicious DLL) is installed, the malicious DLL will be imported and loaded by the legitimate SolarWinds.BusinessLayerHost.exe executable.
Sunburst is a trojan version of a digitally signed SolarWinds Orion plugin named SolarWinds.Orion.Core.BusinessLayer.dll. The malicious DLL contains a backdoor code used to initiate a function that will do the communication with the victim’s system via HTTP to the attacker’s command and control server . The malicious code initiation will give full access to the victim which may retrieve and execute commands that instruct the backdoor to transfer files, remote execution, profile victim’s system information, and complete control over the affected system.
File type: Dynamic Link Library
The malicious function code that was being patched in the compromised DLL by the attacker resides in OrionImprovementBusinessLayer.Initialize which all malicious subfunctions were started right here. The function Initialize was invoked at line 119 by the parent function RefreshInternal as shown in Figure 1 below.
Figure 1: Invoking of Initialize function
In the Initialize method in Figure 2 below, we can see that the code trying to check if the current process executable is solarwinds.businesslayerhost where the hash of the current process being generated by the function GetHash.
Figure 2: Check if the current process is solarwinds.businesslayerhost
The code use function GetHash to check the hash of the process. We will see this GetHash function often after this as the attacker obfuscate those important strings. Deep diving into the code of the GetHash will give us ideas how things get going. Looking into the subroutine GetHash, the function uses Fowler–Noll–Vo hash (FNV-1a) + XOR algorithm which we can refer to in Wikipedia. Figures 3 and 4 below comparing the algorithm being used.
Figure 3: GetHash function
Figure 3: Wikipedia's FNV-1a explained
The next thing that needs to be explained in the Initialize function is at lines 116 to 118 in figure 4 below. At these lines, the malware waits about two weeks/12 days before it executes to avoid any suspicious activity detection.
Figure 4: The malware waits for about 2 weeks to execute
After about 2 weeks, the malware starts to execute the next line where the malware creates the named pipe 583da945-62af-10e8-4902-a8f205c72b2e to ensure only one instance of the backdoor is running.
Figure 5: The sample creates named pipe
In figure 5, after creates the named pipe, the sample check for modes of operation as described by FireEye. If the mode return "Truncate", the malware will be terminate and exit.
Figure 6: Makes some delay execution
After the truncate mode being checked and pass, the malware then will delay the execution of the next line about 30min to 120min.
Figure 7: Sunburst check for domain-joined
In figure 7, Sunburst also checks if the victim is joined to an Active Directory domain. Those blacklisted AD domains as follows:
Figure 8: Hashes of blacklisted domain
The next lines of codes will be executed if the current victim does not join the blacklisted AD domains. These encoded strings have been brute-forced by FireEye to determine what are the decoded result of these encoded strings. Refer SolarWinds/SunBurst FNV-1a-XOR hash founds analysis spreadsheet shared by FireEye.
The sample then performs another checking functionality to generate the user ID of the current victim as shown in figures 8 and 9.
Figure 9: GetOrCreateUserID code
In figure 9, the user ID of the victim is built based on 3 values:
- Network interface MAC address that is up and not a loopback device from the ReadDeviceInfo function
- The domain name that contains in variable domain4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid value
After that, the user ID is encoded with the XOR MD5 of the value at line 424 to 434 shown in figure 9.
Figure 10: Method Update being invoke
The backdoor then invokes method Update which main part of the backdoor resides in here.
Figure 11: Snippet code of the Update method
In the first part of the code, as shown in Figure 11, the backdoor begins the domain algorithm generation (DGA) things using class CryptoHelper.
Figure 12: Content of CryptoHelper
Sunburst victims, who have been installed and infected by one of the malicious SolarWinds Orion software updates, will query for domain names. The part of the malicious code of the software update will construct and resolve a subdomain of avsvmcloud.com.
The code generates those domain names by taking the victim's User ID and computer’s domain name and encoded it with a simple substitution cipher. These encoded strings of subdomains are then being concatenated with one of the following domains to create the hostname to resolve:
The example of the generated and encoded C2 domain name as follows:
The subdomains highlighted above are the encoded User ID and computer’s domain name which can be decoded using tools from Netresec.
After generated the domain, Sunburst continues invoking another important method called UpdateNotification.
Figure 13: UpdateNotification invoked.
In this method, the backdoor check for the blacklisted processes running based on Figure 14. If there is a blacklisted process running, the backdoor will exit the code. If we deep dive into the method, we can see three important sub-method which are SearchAssemblies, SearchServices, and SearchConfiguration.
The backdoor uses several blocklists to identify anti-virus and endpoint detection response processes, drivers, and services. It also checks for any forensic and malware analysis tools in these three functions.
SearchAssemblies = Processes of malware analysis and forensics tools
SearchServices = Anti-Virus and EDR services
SearchConfiguration = Anti-Virus and EDR drivers
Below figures (Figure 16-19) show the hashes of the blacklisted process of malware analysis and forensics tools, AV and EDR services, and drivers:
Figure 16: The processes hashes included in the field assemblyTimeStamps
Figure 17: List of the blacklisted malware analysis and forensics tools hashes.
Figure 18: The drivers hashes included in the field configTimeStamps
The backdoor retrieves all the driver listing via the WMI query Select * From Win32_SystemDriver as shown in figure 18. The drivers hashes are included in the field configTimeStamps.
Figure 19: List of the blacklisted AV and EDR drivers hashes.
All the decoded version of the encoded hashes can be checked here. Thanks to the FireEye team!
Figure 20: Bruteforced blacklist hashes spreadsheet
Next, in the while loop, the sample check for the processes, services, and drivers again. If the victims do not have the indicator of the blacklisted processes, services, and drivers, the backdoor continues to execute the following codes.
Figure 21: Check for the process again
Continue investigation of the code at line 222 as we see the backdoor trying to get the AdressFamily of the victim and decide its decision in the switch case after that shown in figure 22.
Figure 22: Switch case of socket AddressFamily Netbios
The Command and Control beaconing is starting from here. If the AddressFamily is NetBios the backdoor will either initiate the C2 beaconing or continue the command and control beaconing which we can see at line 248 in Figure 22 where method Initialize being invoked.
Figure 23: C2 things in Initialize method
Supported commands for the C2 can be view in the JobEngine field as shown as follow in figure 24.
Figure 24: JobEngine contains the supported command of the Command and Control
Once the Sunburst is gained access to the victim machine, depending on the objectives of the actor, any malicious actions and activities can be executed like stealing sensitive data, source codes, etc.
The cyberattack of this campaign is a highly skilled adversary. The threat actors behind this cyber attack campaign got access to numerous organizations around the world including Malaysia's organizations. Every organization in the world that using SolarWind’s Orion IT monitoring and management software must be alerted with this campaign to take precautions for this matter as the attack still ongoing right now.
The following SHA256 hashes are associated with Sunburst DLL files:
The following domain names are associated with Sunburst cyber-attack campaign:
- Colin Hardy videos on Sunburst on Youtube