A quirk in the SUNBURST DGA algorithm

On December 16, the RedDrip Team from QiAnXin Technology released their findings regarding random subdomains associated with the SUNBURST malware in SolarWinds Orion. They discovered that DNS queries are created by combining a unique GUID (based on hashing of hostname and MAC address) with a payload, which is a custom base 32 encoding of the hostname. The team also found that long domains are split across multiple queries where the second half is much shorter and unlikely to include a '.'. This causes the decoder to ignore many of the recorded DGA domains. They provided Python code for encoding and decoding the queries, including identifying random characters inserted into the queries at regular character intervals. The team also identified that the first 15 bytes of the encoded query are a GUID used to associate multipart messages.