New SUPERNOVA backdoor found in SolarWinds cyberattack analysis

While analyzing artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor that is likely from a second threat actor.

Named SUPERNOVA, the malware is a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanized version of the software.

The webshell is a trojanized variant of a legitimate .NET library (app_web_logoimagehandler.ashx.b6031896.dll) present in the Orion software from SolarWinds, modified in a way that would allow it to evade automated defense mechanisms.

Orion software uses the DLL to expose an HTTP API, allowing the host to respond to other subsystems when querying for a specific GIF image.

In a technical report last week, Matt Tennis, Senior Staff Security Researcher at Palo Alto Networks, says that the malware could potentially slip even manual analysis since the code implemented in the legitimate DLL is innocuous and is of “relatively high quality.”

The analysis shows that the threat actor added in the legitimate SolarWinds file four new parameters to receive signals from the command and control (C2) infrastructure.

The malicious code contains only one method, DynamicRun, which compiles on the fly the parameters into a .NET assembly in memory, thus leaving no artifacts on the disk of a compromised device.

This way, the attacker can send arbitrary code to the infected device and run it in the context of the user, who most of the times has high privileges and visibility on the network.

At the moment, the malware sample is available on VirusTotal, detected by 55 out of 69 antivirus engines.

It is unclear how long SUPERNOVA has been in the Orion software but Intezer’s malware analysis system shows a compilation timestamp of March 24, 2020.

Possibly a second hacking group

Based on the findings of the investigation, SUPERNOVA bears the hallmarks of an advanced hacking group that took compromise via a webshell to a new level.


continue reading at

Leave a Reply

Your email address will not be published. Required fields are marked *