An analysis reports the detection of a backdoor possibly developed by the unidentified hacking team involved in the attack; known as Supernova, this is a web shell injected into SolarWinds Orion code that would allow threat actors to execute arbitrary code on systems that use the compromised version of the product.
A webshell is typically malware logic embedded in a script page and is most often implemented in an interpreted programming language or context (commonly PHP, Java JSP, VBScript and JScript ASP, and C# ASP.NET).
The webshell will receive commands from a remote server and will execute in the context of the web server’s underlying runtime environment.
The SUPERNOVA webshell is also apparently designed for secondary or upgraded persistence, but its novelty goes far beyond the conventional webshell malware.
SUPERNOVA takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in memory. There is no need for additional network callbacks other than the initial C2 request.
The attackers have built a silent and full-grown .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.
The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically.
By leveraging the inbuilt trust of system administrators and routine tool patching, the webshell was implanted without raising any conventional alerts.
The implant itself is a trojanized copy of app_web_logoimagehandler.ashx.b6031896.dll, which is a proprietary SolarWinds .NET library that exposes an HTTP API. The endpoint serves to respond to queries for a specific .gif image from other components of the Orion software stack.
The four parameters codes, clazz, method and args are passed via GET query string to the trojanized logo handler component.
These parameters are then executed in a custom method that simply invokes the underlying operating system.
The attacker might send a request to the embedded webshell over the internet or through an internally compromised system.
The code is crafted to accept the parameters as components of a valid .NET program, which is then compiled in memory. No executable is dropped and thus the webshell’s execution evades most defender endpoint detections.
Tactics, Techniques and Procedures
The malware is secretly embedded onto a server, and then receives C2 signals remotely and executes them in the context of the server user.
Yet, SUPERNOVA is powerful due to its in-memory execution, sophistication in its parameters and execution and flexibility by implementing a full programmatic API to the .NET runtime.
Apart from eluding detections, the SolarStorm actors were skilled enough to purposely hide their traffic and behaviour in plain sight and to avoid leaving trace evidence behind.
According to the researchers, only by organizing multiple security appliances and applications in a single pane can defenders detect these attacks.
Palo Alto Networks customers are protected by the following:
- Endpoint protection through Cortex XDR.
- Malware sandbox detection through WildFire (Next-Generation Firewall security subscription).
- An array of defenses including IPS and AppID in Threat Prevention (Next-Generation Firewall security subscription).
- Threat intelligence with Cortex Data Lake.
Network defense orchestration with Cortex XSOAR.