Sunday, October 13, 2024
HomeCyber AttackNew SUPERNOVA Backdoor Found in SolarWinds Cyberattack Analysis

New SUPERNOVA Backdoor Found in SolarWinds Cyberattack Analysis

Published on

Malware protection

An analysis reports the detection of a backdoor possibly developed by the unidentified hacking team involved in the attack; known as Supernova, this is a web shell injected into SolarWinds Orion code that would allow threat actors to execute arbitrary code on systems that use the compromised version of the product.

Technical Overview

A webshell is typically malware logic embedded in a script page and is most often implemented in an interpreted programming language or context (commonly PHP, Java JSP, VBScript and JScript ASP, and C# ASP.NET).

The webshell will receive commands from a remote server and will execute in the context of the web server’s underlying runtime environment.

- Advertisement - SIEM as a Service

The SUPERNOVA webshell is also apparently designed for secondary or upgraded persistence, but its novelty goes far beyond the conventional webshell malware.

SUPERNOVA takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in memory. There is no need for additional network callbacks other than the initial C2 request.

The attackers have built a silent and full-grown .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.

 The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically.

Implant Phase

By leveraging the inbuilt trust of system administrators and routine tool patching, the webshell was implanted without raising any conventional alerts.

The implant itself is a trojanized copy of app_web_logoimagehandler.ashx.b6031896.dll, which is a proprietary SolarWinds .NET library that exposes an HTTP API. The endpoint serves to respond to queries for a specific .gif image from other components of the Orion software stack.

The four parameters codes, clazz, method and args are passed via GET query string to the trojanized logo handler component.

These parameters are then executed in a custom method that simply invokes the underlying operating system.

Execution

The attacker might send a request to the embedded webshell over the internet or through an internally compromised system.

The code is crafted to accept the parameters as components of a valid .NET program, which is then compiled in memory. No executable is dropped and thus the webshell’s execution evades most defender endpoint detections.

Tactics, Techniques and Procedures

The malware is secretly embedded onto a server, and then receives C2 signals remotely and executes them in the context of the server user.

Yet, SUPERNOVA is powerful due to its in-memory execution, sophistication in its parameters and execution and flexibility by implementing a full programmatic API to the .NET runtime.

Apart from eluding detections, the SolarStorm actors were skilled enough to purposely hide their traffic and behaviour in plain sight and to avoid leaving trace evidence behind.

Protection

According to the researchers, only by organizing multiple security appliances and applications in a single pane can defenders detect these attacks.

Palo Alto Networks customers are protected by the following:

Network defense orchestration with Cortex XSOAR.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...