Thursday, May 1, 2025
HomeCyber AttackNew SUPERNOVA Backdoor Found in SolarWinds Cyberattack Analysis

New SUPERNOVA Backdoor Found in SolarWinds Cyberattack Analysis

Published on

SIEM as a Service

Follow Us on Google News

An analysis reports the detection of a backdoor possibly developed by the unidentified hacking team involved in the attack; known as Supernova, this is a web shell injected into SolarWinds Orion code that would allow threat actors to execute arbitrary code on systems that use the compromised version of the product.

Technical Overview

A webshell is typically malware logic embedded in a script page and is most often implemented in an interpreted programming language or context (commonly PHP, Java JSP, VBScript and JScript ASP, and C# ASP.NET).

The webshell will receive commands from a remote server and will execute in the context of the web server’s underlying runtime environment.

- Advertisement - Google News

The SUPERNOVA webshell is also apparently designed for secondary or upgraded persistence, but its novelty goes far beyond the conventional webshell malware.

SUPERNOVA takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in memory. There is no need for additional network callbacks other than the initial C2 request.

The attackers have built a silent and full-grown .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.

 The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically.

Implant Phase

By leveraging the inbuilt trust of system administrators and routine tool patching, the webshell was implanted without raising any conventional alerts.

The implant itself is a trojanized copy of app_web_logoimagehandler.ashx.b6031896.dll, which is a proprietary SolarWinds .NET library that exposes an HTTP API. The endpoint serves to respond to queries for a specific .gif image from other components of the Orion software stack.

The four parameters codes, clazz, method and args are passed via GET query string to the trojanized logo handler component.

These parameters are then executed in a custom method that simply invokes the underlying operating system.

Execution

The attacker might send a request to the embedded webshell over the internet or through an internally compromised system.

The code is crafted to accept the parameters as components of a valid .NET program, which is then compiled in memory. No executable is dropped and thus the webshell’s execution evades most defender endpoint detections.

Tactics, Techniques and Procedures

The malware is secretly embedded onto a server, and then receives C2 signals remotely and executes them in the context of the server user.

Yet, SUPERNOVA is powerful due to its in-memory execution, sophistication in its parameters and execution and flexibility by implementing a full programmatic API to the .NET runtime.

Apart from eluding detections, the SolarStorm actors were skilled enough to purposely hide their traffic and behaviour in plain sight and to avoid leaving trace evidence behind.

Protection

According to the researchers, only by organizing multiple security appliances and applications in a single pane can defenders detect these attacks.

Palo Alto Networks customers are protected by the following:

Network defense orchestration with Cortex XSOAR.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Quantum Computing and Cybersecurity – What CISOs Need to Know Now

As quantum computing transitions from theoretical research to practical application, Chief Information Security Officers...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...