SUNBURST Malware Used Digital Steganography

In what has become a recurring theme of several notably damaging, stealthy, and sophisticated malware samples in recent years, the security firm FireEye recently reported that the SUNBURST malware that compromised the SolarWinds Orion security software employed anti-forensic techniques such as digital steganography to obscure its network traffic between infected hosts and the command and control (C2) server (CISA, 2020). The intent of this article is not to explain what digital steganography is but rather to discuss how it was used in the recent SolarWinds Orion compromise. For an in-depth explanation of what digital steganography is and how it works (i.e., “abuse of system features”), please refer to the additional resource links.
The MITRE ATT&CK Framework lists steganography as a data obfuscation technique, specifically ID: T1027.003. Steganography has been employed as a malware obfuscation technique by several Advanced Persistent Threat (APT) groups including APT29 (i.e., also known as UNC2452, Dark Halo, Cozy Bear, and The Dukes). The APT 29 threat actor previously employed steganography in its PolyglotDuke, PowerDuke, RegDuke malware (MITRE, 2020).

The various names used to identify specific cyber threat actors are less important than being able to identify and recognize the tell-tale digital fingerprints of a specific group’s malware. False flags in malware code and proxy servers make cyberattack or exploitation attribution far from an exact science. However, it can help when digital forensics investigators compare malware code samples and consider other contributing factors such as political motives and which adversaries are likely to have the technical skill to pull off such an attack.

It should be noted that there are several different groups that could have executed this supply chain attack. The fact that preliminary attribution points to the APT29 Russian threat group is an indication that there are, in fact, other clues and evidence that forensic investigators have discovered that fingerprint them. However, prematurely assigning definitive attribution is always a mistake.
MITRE describes steganography as a “type of attack technique [that] cannot be easily mitigated with preventive controls since it is based on the abuse of system features” (MITRE, 2020). Detection is also “…difficult unless artifacts are left behind by the obfuscation process that [is] detectable with a known signature” (MITRE, 2020). An excerpt from a FireEye threat research report revealed that SUNBURST employs steganography using the following method:
“In observed traffic these HTTP response bodies attempt to appear like benign XML related to .NET assemblies, but command data is actually spread across the many GUID and HEX strings present. Commands are extracted from HTTP response bodies by searching for HEX strings using the following regular expression: “\{[0–9a-f-]{36}\}”|”[0–9a-f]{32}”|”[0–9a-f]{16}”. Command data is spread across multiple strings that are disguised as GUID and HEX strings. All matched substrings in the response are filtered for non HEX characters, joined together, and HEX-decoded. The first DWORD value shows the actual size of the message, followed immediately with the message, with optional additional junk bytes following. The extracted message is single-byte XOR decoded using the first byte of the message, and this is then DEFLATE decompressed. The first character is an ASCII integer that maps to the JobEngine enum, with optional additional command arguments delimited by space characters” (FireEye, 2020).
Having studied digital steganography for several years, the technique employed by the SUNBURST threat actor is different than what we’ve typically seen as security researchers. Typically, I’ve seen threat actors employ Least Significant Bit (LSB) image-based steganography where they encode and sometimes encrypt their malware or C2 communications within images or icons. However, in this particular instance, it appears that the threat actor used a complicated encoding and decoding process to evade anti-virus detection that involved HEX strings, HTTP responses, XOR’ing the message, and using ASCII integers to further obfuscate commands involving the various SUNBURST malware stages of the attack. Honestly, I think the technique is borderline not steganography but rather a clever 64-bit hashing algorithm that incorporates an XOR step. If we’re going to call it steganography, then it is certainly a unique form of it.
The MITRE ATT&CK Framework lumps all of the various steganography techniques into one neat little ID, but I believe the SUNBURST technique is a unique twist on previous techniques employed by other threat actors. Also, if APT29 is responsible for creating SUNBURST, then it is consistent with “The Dukes” malware which has previously employed digital steganography in several different instances as I’ve highlighted in yellow (above). Incorporating steganography into malware to obfuscate the existence of certain aspects of the malware such as communication between the infected host and the C2 server is highly effective. It makes it very difficult to detect malware by anti-virus software. If it weren't effective, it wouldn’t have eluded detection for nearly 9 months until FireEye discovered the network intrusion on their systems.

In conclusion, SUNBURST is yet another high-profile case in which digital steganography was used by cyber threat actors to obfuscate some aspect of malware. Steganography is hugely relevant in today’s cyber threat landscape and needs to be recognized for the massive threat that it is. Until such time as this threat is taken seriously and significant changes to the file system structures and the various internet protocols used are made, you can expect to see plenty more steganographic techniques to obfuscate malware in the future.
Additional Resources:
References:
CISA. (2020, December 17). Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. Retrieved from https://us-cert.cisa.gov/ncas/alerts/aa20-352a
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved from https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
MITRE. (2020, February 5). Obfuscated Files or Information: Steganography. Retrieved from https://attack.mitre.org/versions/v8/techniques/T1027/003/
Williams, M., Sikorski, M., Berry, A., Wallace, R. (2020, December 24). SUNBURST Additional Technical Details. Retrieved from https://vulners.com/fireeye/FIREEYE:2A706D794A6D97FD69260066F75CA273