Cyber Threat Advisory: SUPERNOVA Malware

Share On Facebook
Share On Twitter
Share On Linkedin

Date: 28 January 21

Author: Nick Sundvall and Yadu Nadh

TLP:WHITE

1. Executive Summary

On 27 January, the Cybersecurity & Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds’ Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor – SUPERNOVA – allowing an attacker to inject and execute C# code into the SolarWinds software.

2. Analysis

2.1. PowerShell Script

CISA reports that the PowerShell script, 1.ps1, contains a Base64 encoded, 32-bit .NET dynamic-link library (DLL). When the script executes, it uses Base64 to decode and install the DLL into the directory C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler.ashx.b6031896.dll. This DLL includes a legitimate SolarWinds DLL, with the SUPERNOVA webshell added in.

2.2. DLL

CISA describes the 32-bit .NET DLL as “a modified SolarWinds plug-in” with the SUPERNOVA malware “patched into this plug-in.” The modification changes the DynamicRun function, which is responsible for accepting C# code, as well as compiling and running it. This modification allows an attacker to provide custom HttpContext data structures to the application’s ProcessRequest function.

The ProcessRequest function accepts HttpContext data structures as arguments. It parses out certain sections of the structure using various keys and provides the related data from the keys as arguments to the DynamicRun function.

The DynamicRun function accepts arguments containing pieces of C# code including the class name, function name, arguments passed to the function and actual code. After parsing the data from the arguments and combining it to create complete code, DynamicRun compiles and executes the code.

3. Prevention and Mitigation

CISA provides the following list of best practices to strengthen the security of an organization. In addition, CISA references the publication from the National Institute of Standards and Technology (NIST), “Guide to Malware Incident Prevention & Handling for Desktops and Laptops” for more information on malware incident prevention and handling.2

● Maintain up-to-date antivirus signatures and engines.

● Keep operating system patches up-to-date.

● Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

● Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.

● Enforce a strong password policy and implement regular password changes.

● Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.

● Enable a personal firewall on workstations, configured to deny unsolicited connection requests.

● Disable unnecessary services on workstations and servers.

● Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).

● Monitor users’ web browsing habits; restrict access to sites with unfavorable content.

● Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).

● Scan all software downloaded from the Internet prior to executing.

● Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

4. Indicators of Compromise

Indicator

Description

C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler.ashx.b6031896.dll

SUPERNOVA

implant path

290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515

C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

02c5a4770ee759593ec2d2ca54373b63dea5ff94da2e8b4c733f132c00fc7ea1

SHA256s

Endnotes

1. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a

2. https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final

Labels:

Infoblox Threat Intelligence Group

With over 50 years of combined experience, the Infoblox Threat Intelligence Group creates, aggregates and curates information on threats to provide actionable intelligence that is high-quality, timely and reliable. Threat information from Infoblox filters out false positives and gives you the information you need to block the newest threats and to maintain a unified security policy across the entire security infrastructure of your organization.

View All Posts

You might also be interested in

You might also be interested in

×