See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

ATTACK TECHNIQUES – HANDS ON

Brought to you by Cynet's CyOps Center

Cynet's 24/7 MDR with the latest security updates and reports

Learn more about CyOps

Network Attacks and Exfiltration

Credential Access & Data Collection

Initial Access and Fileless Attacks

Ransomware Threat Reports

Threat Reports

Vulnerabilities

Persistence

Evasion techniques

Crypto attacks

When a Sunburst Turns Supernova – Recent Solarigate Development 

By: Amit Martsiano 

Intro 

In addition to the recent discoveries following the SolarWinds supply chain attack and the newly discovered SUNBURST backdoor, the investigation of the attack has led to the discovery of an additional malware that also uses the SolarWinds Orion product as its delivery method but is unlikely to be related to the preceding unfolding event and used by a different threat actor. 

The malware dubbed SUPERNOVA consists of a small persistent backdoor in the form of a DLL file named: App_Web_logoimagehandler.ashx.b6031896.dll.the attackers cleverly injected malicious C# code into this file which appeared as if the actual SolarWinds developers have written it.  This was done to avoid manual code review and automated tests to allow remote code execution through SolarWinds web application server when triggered. The new malware consists of several sophisticated and novel TTP’s that imply the attackers are highly skilled.  

 

Attack Flow 

  • Infected .dll receives malicious C# code from C2 server.  
  • Infected .dll, sitting inside the Orion platform web interface functions as a backdoor for the hackers.  
  • Malicious C# is executed in memory (DynamicRun) to hinder DFIR attempts / EDR detections.  
  • The hackers can abuse all windows features on endpoints under Orion platform scope that can be modified using the .NET API.  
  • Further exploitation of endpoints inside the internal network.  

 

Technical Facts:  

What makes Supernova web-shell so unique, is the fact that the malware creators have gone to great lengths to make sure this backdoor will remain hidden until they can flip the switch to use it. Although it did not have a digital signature, the complexity and attention to detail, operational security knowledge, and the uncommon execution method leaves no room for doubt – the creators of this malware are Advanced Persistent Threat actors and certainly not some script kiddies. 

 Unsurprisingly, the infected .dll maintains normal function as It masquerades as web service that retrieves the SolarWinds logo for it to be displayed in the Orion platform. Basically, it is looking for a benign gif image from the legitimate Orion DB. But when the malware receives the initial c2 request – things get interesting.  

When the attacker sends the C# code from the c2 server, the infected DLL contains one unique method that was crafted to handle the hackers command – named DynamicRun. Its main purpose is to receive a C# script from a web request, compile it on the fly, and execute it. The malicious code section is compiled and executed in memory – making it harder for EDR products to detect and leaving no forensic evidence for DFIR investigations. While this technique is not new in the malware world, seeing it being implemented in a web-shell malware is very uncommon. Also, in most organizations the user that manages the Orion platform has high privileges and great visibility into the internal network – a smart choice from the apt group as this approach avoids the use of privilege escalation code which would create to  a higher risk of being detected by defense mechanisms.  

 

There are 4 .NET parameters that were injected into the Orion DLL:   

These parameters provide the Attackers with a sophisticated functionality required to pull off such a dangerous exploit. The diagram below explains the attack flow in simple flowchart: 

MITRE ATT&CK MATRIX – Supernova TTP’s:  

Conclusion 

While this tactic of webshell implementation is not new, the efforts and resources invested in the code is overwhelming, pointing to a highly capable advanced persistent threat actor. 

This further amplifies the urgent need for better visibility and security orchestration between all relevant security appliances and teams. 

Detection by Cynet 360 

Cynet detects the Supernova malware payload based on multiple vectors, including by Cynet’s NGAV (Next-Gen AV) mechanism, which is an innovative, stateoftheart, artificial intelligence malware detection mechanism, based on thousands of non-linear combinations of indicators. Cynet’s NGAV solution, also known as the CyAI, is constantly evolving to detect the newest and most complicated threats used by sophisticated attack groups as well as lone hackers, to keep Cynet 360 customers secured.   

Actions taken by Cynet 

Cynet 360 customers are fully protected against any attempts of abusing the Supernova backdoor. Customers who utilize the SolarWinds software have been notified by our CyOps team.  

Cynet XDR has released relevant detections for the compromised software and the malicious backdoor based on multiple detection vectors. We will continue to add additional IOCs as new ones emerge.
 

 Additional security endpoint protection recommendations: 

  • Isolate the vulnerable endpoint using the Cynet Dashboard and be prepared for triage. 
  • Reset any passwords used in the SolarWinds platform, treat them as compromised passwords. 
  • Enable all detection and remediation mechanisms at Cynet 360 UI. 
  • Contact SolarWinds for relevant updates to the Orion Platform 

 

If you have been impacted by Solorigate/Sunburst or Supernova and would like assistance in mitigation and protection from the new threats, please contact us here: 

https://www.cynet.com/services/under-attack/ 

Indicators of Compromise 

SUPERNOVA Hashes:
SHA256 – C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
SHA1 – 75af292f34789a1c782ea36c7127bf6106f595e8
MD5 – 56ceb6d0011d87b6e4d7023d7ef85676