New SUPERNOVA Backdoor Found in SolarWinds Cyberattack Analysis
upstart writes in with an IRC submission:
New SUPERNOVA backdoor found in SolarWinds cyberattack analysis:
While analyzing artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor that is likely from a second threat actor.
Named SUPERNOVA, the malware is a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanized version of the software.
The webshell is a trojanized variant of a legitimate .NET library (app_web_logoimagehandler.ashx.b6031896.dll) present in the Orion software from SolarWinds, modified in a way that would allow it to evade automated defense mechanisms.
Orion software uses the DLL to expose an HTTP API, allowing the host to respond to other subsystems when querying for a specific GIF image.
[...] The malicious code contains only one method, DynamicRun, which compiles on the fly the parameters into a .NET assembly in memory, thus leaving no artifacts on the disk of a compromised device.
This way, the attacker can send arbitrary code to the infected device and run it in the context of the user, who most of the times has high privileges and visibility on the network.
[...] The researcher adds that taking a valid .NET program as a parameter and in-memory code execution makes SUPERNOVA a rare encounter as it eliminates the need for additional network callbacks besides the initial C2 request.
Read more of this story at SoylentNews.