By: Amit Martsiano
In addition to the recent discoveries following the SolarWinds supply chain attack and the newly discovered SUNBURST backdoor, the investigation of the attack has led to the discovery of an additional malware that also uses the SolarWinds Orion product as its delivery method but is unlikely to be related to the preceding unfolding event and used by a different threat actor.
The malware dubbed SUPERNOVA consists of a small persistent backdoor in the form of a DLL file named: App_Web_logoimagehandler.ashx.b6031896.dll.the attackers cleverly injected malicious C# code into this file which appeared as if the actual SolarWinds developers have written it. This was done to avoid manual code review and automated tests to allow remote code execution through SolarWinds web application server when triggered. The new malware consists of several sophisticated and novel TTP’s that imply the attackers are highly skilled.
What makes Supernova web-shell so unique, is the fact that the malware creators have gone to great lengths to make sure this backdoor will remain hidden until they can flip the switch to use it. Although it did not have a digital signature, the complexity and attention to detail, operational security knowledge, and the uncommon execution method leaves no room for doubt – the creators of this malware are Advanced Persistent Threat actors and certainly not some script kiddies.
Unsurprisingly, the infected .dll maintains normal function as It masquerades as a web service that retrieves the SolarWinds logo for it to be displayed in the Orion platform. Basically, it is looking for a benign gif image from the legitimate Orion DB. But when the malware receives the initial c2 request – things get interesting.
When the attacker sends the C# code from the c2 server, the infected DLL contains one unique method that was crafted to handle the hackers command – named DynamicRun. Its main purpose is to receive a C# script from a web request, compile it on the fly, and execute it. The malicious code section is compiled and executed in memory – making it harder for EDR products to detect and leaving no forensic evidence for DFIR investigations. While this technique is not new in the malware world, seeing it being implemented in a web-shell malware is very uncommon. Also, in most organizations the user that manages the Orion platform has high privileges and great visibility into the internal network – a smart choice from the apt group as this approach avoids the use of privilege escalation code which would create to a higher risk of being detected by defense mechanisms.
There are 4 .NET parameters that were injected into the Orion DLL:
These parameters provide the Attackers with a sophisticated functionality required to pull off such a dangerous exploit. The diagram below explains the attack flow in a simple flowchart:
While this tactic of web–shell implementation is not new, the efforts and resources invested in the code is overwhelming, pointing to a highly capable advanced persistent threat actor.
This further amplifies the urgent need for better visibility and security orchestration between all relevant security appliances and teams.
Detection by Cynet 360
Cynet detects the Supernova malware payload based on multiple vectors, including by Cynet’s NGAV (Next-Gen AV) mechanism, which is an innovative, state–of–the–art, artificial intelligence malware detection mechanism, based on thousands of non-linear combinations of indicators. Cynet’s NGAV solution, also known as the CyAI, is constantly evolving to detect the newest and most complicated threats used by sophisticated attack groups as well as lone hackers, to keep Cynet 360 customers secured.
Cynet 360 customers are fully protected against any attempts of abusing the Supernova backdoor. Customers who utilize the SolarWinds software have been notified by our CyOps team.
Cynet XDR has released relevant detections for the compromised software and the malicious backdoor based on multiple detection vectors. We will continue to add additional IOCs as new ones emerge
Additional security endpoint protection recommendations:
If you have been impacted by Solorigate/Sunburst or Supernova and would like assistance in mitigation and protection from the new threats, please contact us here:
SHA256 – C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
SHA1 – 75af292f34789a1c782ea36c7127bf6106f595e8
MD5 – 56ceb6d0011d87b6e4d7023d7ef85676
Let’s get started
Ready to extend visibility, threat detection and response?