SolarWinds hackers smear their bytes in HTTP traffic via regular expressions

A valid digital signature on a DLL with a built-in backdoor

Almost all specialized media reported about the hacking of SolarWinds software as part of a global cyber espionage campaign. Here you need to understand the scale of the attack: this software for monitoring IT infrastructure (CPU, RAM, network) is used by thousands of private companies and government agencies, including the NSA, the Pentagon, the State Department, and so on. Total 300,000 clients worldwide (this page has already been removed from the official SolarWinds website, the link is a copy from the web archive).

The most interesting in this attack: 1) the introduction of a backdoor inside SolarWinds updates and 2) the original mechanism of hiding data in the service HTTP traffic of the SolarWinds program. In a nutshell, we will tell you about the steganography (covert signaling) method that was used here.

Selected details about the attack published FireEye in a report dated December 13, 2020. This American company must protect its customers’ networks from such sabotage, but in the end it itself suffered from hacking along with them.

Some of SolarWinds’ customers:

Key facts

  • Backdoor discovered later seven months after the start of the attack, it was codenamed SUNBURST. Considering the scale of the infection, this is a serious failure of antivirus companies.
  • Infected DLL was distributed with platform updates Solarwinds orion, which serves to monitor the corporate network.

    SolarWinds Orion Platform

Valid digital signature

Backdoor found in library SolarWinds.Orion.Core.BusinessLayer.dllthat is signed with a valid digital signature of the company SolarWinds Worldwide, LLC (screenshot above).

In particular, a number of updates to the SolarWinds Orion program for March-May 2020 were infected, which were distributed with a valid digital signature.

It was a standard Windows Installer Patch file with all the usual resources, including the infected library SolarWinds.Orion.Core.BusinessLayer.dll… After installation, the library was normally loaded into memory by a regular executable SolarWinds.BusinessLayerHost.exe

Microsoft specialists explainedthat the attackers “used local hacking [on-premises compromise]to access the organization’s trusted SAML token signing certificate [SolarWinds]… This allowed them to spoof SAML tokens for all existing users and accounts of the organization, including highly privileged ones. ” Apparently, we are talking about physical penetration into the company’s office (on-premises compromise).

Unique features

  • Domain Generation Algorithm (DGA) for generating subdomains and modifying DNS queries. The Trojan sent a request to resolve the subdomain avsvmcloud[.]com, and the DNS response contained a CNAME record indicating the C&C server.
  • All traffic was masqueraded as network traffic using the Orion Improvement Program (OIP) service protocol through the SolarWinds API. Thus, antiviruses and firewalls could not distinguish between backdoor activity and actual SolarWinds activity.
  • The backdoor code was embedded in standard software components.


And here’s the most interesting part – how exactly the backdoor masked packets in normal network traffic:

The malware used HTTP GET or HTTP HEAD requests to receive data, and HTTP PUT or HTTP POST to send data. The PUT method was used when the payload is less than 10,000 bytes; otherwise, POST is used. The If-None-Match HTTP header contains an encoded representation of the previously calculated userID, appended with a random array of bytes of the same length.

The JSON payload in HTTP POST and PUT requests contains the keys userId, sessionId, and steps. Data messages to be sent to the server are compressed with DEFLATE and single-byte XOR. Each message is individually Base64 encoded.

In the observed traffic, the HTTP response bodies are hidden behind benign XML associated with .NET assemblies… But in reality the data is spread across many GUID and HEX lines. Commands are retrieved from HTTP response bodies by searching for hex strings using the following regular expression: {[0-9a-f-]{36}}"|"[0-9a-f]{32}"|"[0-9a-f]{16}… The command data is spread over several lines, disguised as GUID and HEX lines. All matching substrings in the response are filtered for non-HEX characters, concatenated together, and decoded with HEX. The first DWORD value indicates the actual message size, immediately followed by the message, followed by optional junk bytes. The extracted is decoded with a 1-byte XOR using the first byte of the message, and then DEFLATE decompressed. The first character is an ASCII integer that matches the JobEngine command with optional additional arguments separated by spaces.


In the case of such advanced attacks, it is impossible to identify the developers of the program. Researchers make assumptions based on the coincidence of the code with previously discovered hacking tools, as well as on the basis of who exactly was the victim of espionage.

For example, Iranian uranium enrichment facilities were damaged in 2010. The very advanced Stuxnet malware slightly changed the rotation speed of the installations – and eventually disabled them. Accordingly, it is logical to assume that the customers and developers of the malware were the US and Israeli intelligence servicesbecause these countries are systematically trying to prevent the manufacture of nuclear weapons in Iran, not always acting diplomatically.

As for the SUNBURST backdoor, it is more likely to be attributed to Russian hackers from the group. APT29 (Cozy Bear), based on the ingenuity of the techniques used, the choice of targets and the physical penetration into the victim’s office. Although the customer and the contractor are not known for certain.

Snort rules to detect and block SUNBURST traffic published in the public domain

Similar Posts

Leave a Reply