As described in the first part of our analysis, the DGA (Domain Generation Algorithm) of the Sunburst backdoor produces a domain name that may look like:
The first part of the domain name (before the first dot) consists of a 16-character random string, appended with an encoded computer's domain name. This is the domain in which the local computer is registered.
From the example string above, we can conclude that the encoded computer's domain starts from the 17th character and up until the dot (highlighted in yellow):
In order to encode a local computer's domain name, the malware uses one of 2 simple methods:
In our example, the encoded domain name is "n2huov". As it does not have any capital letters, the malware encodes it with a substitution table "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj".
For each character in the domain name, the encoder replaces it with a character located in the substitution table four characters right from the original character.
In order to decode the name back, all we have to do is to replace each encoded character with another character, located in the substitution table four characters left from the original character.
To illustrate this method, imagine that the original substitution table is printed on a paper strip and then covered with a card with 6 perforated windows. Above each window, there is a sticker note with a number on it, to reflect the order of characters in the word "n2huov", where 'n' is #1, '2' is #2, 'h' is #3 and so on:
Once the paper strip is pulled by 4 characters right, the perforated windows will reveal a different word underneath the card: "domain", where 'd' is #1, 'o' is #2, 'm' is #3, etc.:
A special case is reserved for such characters as '0', '-', '_', '.'. These characters are encoded with '0', followed with a character from the substitution table. An index of that character in the substitution table, divided by 4, provides an index within the string "0_-.".
The following snippet in C# illustrates how an encoded string can be decoded:
This method is a standard base64 encoder with a custom alphabet "ph2eifo3n5utg1j8d94qrvbmk0sal76c".
Here is a snippet in C# that provides a decoder:
When the malware encodes a domain using Method 2, it prepends the encrypted string with a double zero character: "00".
Following that, extracting a domain part of an encoded domain name (long form) is as simple as:
Once the domain part is extracted, the decoded domain name can be obtained by using Method 1 or Method 2, as explained above:
To see the decoder in action, let's select 2 lists:
Bambenek Consulting has provided a list of observed hostnames for the DGA domain.
NOTE: This list is fairly 'noisy', as it has non-decodable domain names.
By feeding both lists to our decoder, we can now obtain a list of decoded domains, that could have been generated by the victims of the Sunburst backdoor.
DISCLAIMER: It is not clear if the provided lists contain valid domain names that indeed belong to the victims. It is quite possible that the encoded domain names were produced by third-party tools, sandboxes, or by researchers that investigated and analysed the backdoor.
The decoded domain names are provided purely as a reverse engineering exercise. The resulting list was manually processed to eliminate noise, and to exclude duplicate entries. Following that, we have made an attempt to map the obtained domain names to the company names, using Google search. Reader's discretion is advised as such mappings could be inaccurate.