Date: 28 January 21
Author: Nick Sundvall and Yadu Nadh
1. Executive Summary
On 27 January, the Cybersecurity & Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds’ Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor – SUPERNOVA – allowing an attacker to inject and execute C# code into the SolarWinds software.
2.1. PowerShell Script
CISA reports that the PowerShell script, 1.ps1, contains a Base64 encoded, 32-bit .NET dynamic-link library (DLL). When the script executes, it uses Base64 to decode and install the DLL into the directory C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler.ashx.b6031896.dll. This DLL includes a legitimate SolarWinds DLL, with the SUPERNOVA webshell added in.
CISA describes the 32-bit .NET DLL as “a modified SolarWinds plug-in” with the SUPERNOVA malware “patched into this plug-in.” The modification changes the DynamicRun function, which is responsible for accepting C# code, as well as compiling and running it. This modification allows an attacker to provide custom HttpContext data structures to the application’s ProcessRequest function.
The ProcessRequest function accepts HttpContext data structures as arguments. It parses out certain sections of the structure using various keys and provides the related data from the keys as arguments to the DynamicRun function.
The DynamicRun function accepts arguments containing pieces of C# code including the class name, function name, arguments passed to the function and actual code. After parsing the data from the arguments and combining it to create complete code, DynamicRun compiles and executes the code.
3. Prevention and Mitigation
CISA provides the following list of best practices to strengthen the security of an organization. In addition, CISA references the publication from the National Institute of Standards and Technology (NIST), “Guide to Malware Incident Prevention & Handling for Desktops and Laptops” for more information on malware incident prevention and handling.2
● Maintain up-to-date antivirus signatures and engines.
● Keep operating system patches up-to-date.
● Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
● Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
● Enforce a strong password policy and implement regular password changes.
● Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
● Enable a personal firewall on workstations, configured to deny unsolicited connection requests.
● Disable unnecessary services on workstations and servers.
● Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
● Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
● Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
● Scan all software downloaded from the Internet prior to executing.
● Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
4. Indicators of Compromise