State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

New Supernova Malware Found During SolarWinds Artifact Analysis

NJCCIC Alert

Original Release Date: 12/23/2020

Summary

Researchers discovered the presence of a what is believed to be a second threat actor while analyzing artifacts from the SolarWinds Orion supply-chain attack. The malware – a backdoor dubbed Supernova – is a webshell of a trojanized legitimate .NET dynamic link library (DLL) found in Orion. Supernova is compiled and executed in-memory rather than on disk using the DynamicRun method, suggesting the code is designed to evade certain cybersecurity software. The webshell payload is compiled spontaneously and is executed dynamically, complicating analysis efforts. Additionally, analysis indicates that the threat actor added four new parameters – codes, clazz, method, and args – in order to receive signals from the command and control (C2) infrastructure within the legitimate SolarWinds file. These four parameters are passed via a GET query string to the trojanized logo handler component (app_web_logoimagehandler.ashx.b6031896[.]dll ). This allows the threat actor to weaponize the full-featured .NET programs in order to carry out various cyberattacks, including reconnaissance and lateral movement within the network. At this time, researchers believe that this activity was likely conducted by a separate advanced persistent threat (APT) actor and not UNC2452, the threat actor responsible for the recent SolarWinds supply chain attack. Researchers determined this, in part, because Supernova does not use a digitally-signed DLL, unlike the SunBurst malware. Palo Alto’s Unit 24 suggests that, “[a]ny ingress traffic to logoimagehandler.ashx with a combination of these four parameters in any order of the query string are strong indicators of compromise (IOCs). If a detection fires on this combination in any order, please isolate and image your Orion instance immediately. If the request came internal to the network, then it is highly probable that the user that initiated the request has also been compromised.”

Recommendations

The NJCCIC urges administrators to implement supply chain management programs to reduce the risk posed by vendors/third-parties, and apply a defense-in-depth cybersecurity strategy that includes layered defenses. As investigations continue into the extent of the SolarWinds attack, further details and IOCs will likely be revealed, and recommendations may be updated. Additional technical details and IOCs can be found in Palo Alto’s Unit 42 article and malware samples are available via VirusTotal.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.