When a Sunburst Turns Supernova – A Recent SolarigateDevelopment
By: Amit Martsiano
In addition to the recent discoveries following the SolarWinds supply chain attack and the newly discovered SUNBURST backdoor, the investigation of the attack has led to the discovery of an additional malware that also uses the SolarWinds Orion product as its delivery method but is unlikely to be related to the preceding unfolding event and used by a different threat actor.
The malware dubbed SUPERNOVA consists of a small persistent backdoor in the form of a DLL file named: App_Web_logoimagehandler.ashx.b6031896.dll.the attackers cleverly injected malicious C# code into this file which appeared as if the actual SolarWinds developers have written it. This was doneto avoid manual code review and automated tests to allow remote code execution through SolarWinds web application server when triggered. The new malware consists of several sophisticated and novel TTP’s that imply the attackers are highly skilled.
Infected .dll receives malicious C# code from C2 server.
Infected .dll, sitting inside the Orion platform web interface functions as a backdoor for the hackers.
Malicious C# is executed in memory (DynamicRun) to hinder DFIR attempts / EDR detections.
The hackers can abuse all windows features on endpoints under Orion platform scope that can be modified using the .NET API.
Further exploitation of endpoints inside the internal network.
What makes Supernova web-shell so unique, is the fact that the malware creators have gone to great lengths to make sure this backdoor will remain hidden until they can flip the switch to use it. Although it did not have a digital signature, the complexity and attention to detail, operational security knowledge, and the uncommon execution method leaves no room for doubt – the creators of this malware are Advanced Persistent Threat actors and certainly not some script kiddies.
Unsurprisingly, the infected .dll maintains normal function as It masquerades as a web service that retrieves the SolarWinds logo for it to be displayed in the Orion platform. Basically, it is looking for a benign gif image from the legitimate Orion DB. But when the malware receives the initial c2 request – things get interesting.
When the attacker sends the C# code from the c2 server, the infected DLL contains one unique method that was crafted to handle the hackers command – named DynamicRun. Its main purpose is to receive a C# script from a web request, compile it on the fly, and execute it. The malicious code section is compiled and executed in memory – making it harder for EDR products to detect and leaving no forensic evidence for DFIR investigations. While this technique is not new in the malware world, seeing it being implemented in a web-shell malware is veryuncommon. Also, in most organizations the user that manages the Orion platform has high privileges and great visibility into the internal network – a smart choice from the apt group as this approachavoids the use of privilege escalation code which would create toa higherrisk of being detected by defense mechanisms.
There are 4 .NET parameters that were injected into the Orion DLL:
These parameters provide the Attackers with a sophisticated functionality required to pull off such a dangerous exploit. The diagram below explains the attack flow in a simple flowchart:
MITRE ATT&CK MATRIX – Supernova TTP’s:
While this tactic of web–shell implementation is not new, the efforts and resources invested in the code is overwhelming,pointing to a highly capable advanced persistent threat actor.
This further amplifies the urgent need for better visibility and security orchestration between all relevant security appliances and teams.
Detection by Cynet 360
Cynet detects theSupernova malware payload based on multiple vectors, including by Cynet’sNGAV (Next-Gen AV)mechanism,which is an innovative, state–of–the–art, artificial intelligence malware detection mechanism, based on thousands of non-linear combinations of indicators. Cynet’s NGAV solution, also known as theCyAI, is constantly evolving todetect the newest and most complicated threats used by sophisticated attack groups as well as lone hackers, to keep Cynet 360 customers secured.
Actions taken by Cynet
Cynet 360 customers are fully protected against any attempts of abusing the Supernova backdoor. Customers who utilize the SolarWinds software have been notified by our CyOps team.
Cynet XDR has released relevant detections for the compromised software and the malicious backdoor based on multiple detection vectors. We will continue to add additional IOCs as new ones emerge.