SolarWinds: How Sunburst Sends Data Back to the Attackers


In our previous blog we described how the attackers controlled the Sunburst malware, and detailed a variety of commands that will result in data being sent to the threat actors. The next technique to discuss is how Sunburst sends this data to the attackers.

If data is being sent to the attacker as a result of a command, instead of performing a HTTP(S) GET request, something we described in our last blog, Sunburst initiates a HTTP(S) POST request.

Sunburst uses randomly generated URL paths for HTTP(S) POST requests that are different from HTTP(S) GET requests.

Read more…
Source: Symantec