Cyber Threat Advisory: SUPERNOVA Malware

Share On Facebook
Share On Twitter
Share On Linkedin

Date: 28 January 21

Author: Nick Sundvall and Yadu Nadh

TLP:WHITE

1. Executive Summary

On 27 January, the Cybersecurity & Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds’ Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor – SUPERNOVA – allowing an attacker to inject and execute C# code into the SolarWinds software.

2. Analysis

2.1. PowerShell Script

CISA reports that the PowerShell script, 1.ps1, contains a Base64 encoded, 32-bit .NET dynamic-link library (DLL). When the script executes, it uses Base64 to decode and install the DLL into the directory C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler.ashx.b6031896.dll. This DLL includes a legitimate SolarWinds DLL, with the SUPERNOVA webshell added in.

2.2. DLL

CISA describes the 32-bit .NET DLL as “a modified SolarWinds plug-in” with the SUPERNOVA malware “patched into this plug-in.” The modification changes the DynamicRun function, which is responsible for accepting C# code, as well as compiling and running it. This modification allows an attacker to provide custom HttpContext data structures to the application’s ProcessRequest function.

The ProcessRequest function accepts HttpContext data structures as arguments. It parses out certain sections of the structure using various keys and provides the related data from the keys as arguments to the DynamicRun function.

The DynamicRun function accepts arguments containing pieces of C# code including the class name, function name, arguments passed to the function and actual code. After parsing the data from the arguments and combining it to create complete code, DynamicRun compiles and executes the code.

3. Prevention and Mitigation

CISA provides the following list of best practices to strengthen the security of an organization. In addition, CISA references the publication from the National Institute of Standards and Technology (NIST), “Guide to Malware Incident Prevention & Handling for Desktops and Laptops” for more information on malware incident prevention and handling.2

● Maintain up-to-date antivirus signatures and engines.

● Keep operating system patches up-to-date.

● Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

● Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.

● Enforce a strong password policy and implement regular password changes.

● Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.

● Enable a personal firewall on workstations, configured to deny unsolicited connection requests.

● Disable unnecessary services on workstations and servers.

● Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).

● Monitor users’ web browsing habits; restrict access to sites with unfavorable content.

● Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).

● Scan all software downloaded from the Internet prior to executing.

● Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

4. Indicators of Compromise

Indicator

Description

C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler.ashx.b6031896.dll

SUPERNOVA

implant path

290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515

C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

02c5a4770ee759593ec2d2ca54373b63dea5ff94da2e8b4c733f132c00fc7ea1

SHA256s

Endnotes

1. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a

2. https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×