The malware used in the original attack was codenamed Sunburst (or Solorigate) and was delivered to SolarWinds customers as a “booby-trapped” (booby-trapped) update of the Orion application. On the infected network, the malware will ping its creator, and then download a second staged backdoor Trojan called Teardrop, allowing the attacker to start a hands-on keyboard session, which is a so-called human operation attack.
But in the first few days after the SolarWinds hacking incident was publicly disclosed, the initial report mentioned two second-stage payloads. Reports from Guidepoint, Symantec, and Palo Alto Networks detailed how the attackers simultaneously implanted a .NET web shell called Supernova.
Security researchers believe that the attacker used Supernova webshell to download, compile and execute a malicious Powershell script (someone named it CosmicGale).
However, in the follow-up analysis of the Microsoft security team, it has now been clarified that the Supernova web shell is not part of the original attack chain. They found that the company that Supernova installed on SolarWinds needed to treat the incident as a separate attack.
According to an article on GitHub by Microsoft security analyst Nick Carr, Supernova webshell appears to be planted on SolarWinds Orion installations, which have been exposed online and exploited similar to the vulnerability tracked as CVE-2019-8917.
The confusion about Supernova and the Sunburst+Teardrop attack chain comes from the fact that, like Sunburst, Supernova is also disguised as a DLL of the Orion application-Sunburst is hidden in the SolarWinds.Orion.Core.BusinessLayer.dll file, and Supernova is hidden in App_Web_logoimagehandler. ashx.b6031896.dll.
But in an analysis report released late on Friday, December 18, Microsoft stated that, unlike Sunburst DLL, Supernova DLL was not signed with a legal SolarWinds digital certificate.
The fact that Supernova was not signed is considered an extremely abnormal behavior of the attacker. Prior to this, the attacker had shown a very high level of complexity and attention to detail in operations.
This includes spending months undetected in SolarWinds’ internal network, adding virtual buffer code to the Orion application in advance to disguise future addition of malicious code, and disguising their malicious code as written by SolarWinds developers.
These seem to be too obvious mistakes, the original attackers would not do so, therefore, Microsoft believes that this malware has nothing to do with the original SolarWinds supply chain attack.