By Marco Figueroa, James Haughom and Jim Walter
Introduction
The recent SolarWinds’ Orion supply chain attack has proven to be one of the most layered and damaging attacks of 2020, consisting of multiple artifacts and sophisticated TTPs.
Several distinct malware families have emerged in relation to the compromise. These include the SUNBURST backdoor, SUPERNOVA, COSMICGALE & TEARDROP.
Organizations protected by SentinelOne’s Singularity platform are fully protected against all of these new threats.
In this post, we provide an analysis of the SUPERNOVA trojan, describing how the weaponized DLL payload differs from the legitimate version it supplanted. Further, we disclose some new Indicators of Compromise that may, in addition to previously documented IoCs, help security teams to detect when the malicious webshell is active.
Overview of SolarWinds’ Malware Components
The sophisticated nature of the SolarWinds compromise has resulted in a flurry of new malware families, each with different characteristics and behaviors.
SUNBURST refers to a .NET backdoor (written in C#). This backdoor was distributed as part of a trojanized MSI (Windows installer) patch and distributed via SolarWinds updating mechanisms.
TEARDROP is a memory-resident implant used (primarily) to distribute the Cobalt Strike beacon payload.
COSMICGALE refers to certain malicious PowerShell scripts that are executed on compromised hosts.
SUPERNOVA refers to a web shell implant used to distribute and execute additional code on exposed hosts.
Below, we focus on understanding and detecting the SUPERNOVA web shell implant.
The Trojanized App_Web_logoimagehandler DLL
The SUPERNOVA web shell implant is a trojanized copy of a legitimate DLL .NET library in the SolarWinds Orion web applic ..
Support the originator by clicking the read the rest link below.
