The report provides a detailed analysis of several malicious artifacts affecting the SolarWinds Orion product, identified by security firm FireEye as SUPERNOVA. according to SolarWinds’ advisory, SUPERNOVA was not embedded in the Orion platform as a supply chain attack. Rather, it was placed directly on the system hosting SolarWinds Orion by the attacker and designed to appear as part of the SolarWinds product.
The report describes the analysis of a PowerShell script that decodes and installs SUPERNOVA (a malicious Webshell backdoor), which is embedded in a file called ” App_Web_logoimagehandler.ashx. The SUPERNOVA malware allows remote operators to dynamically inject C# source code into the Web portal provided through the SolarWinds software suite. The injected code is compiled and executed directly in memory.
This file is an event log detailing the execution of a PowerShell script designed to perform Base64 decoding and install a 32-bit .NET dynamic link library (DLL) to the following location: “C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler. ashx. b6031896.dll (c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71), the DLL patched with the SUPERNOVA Trojan backdoor and is a legitimate SolarWinds DLL. replacement
Shown below is a portion of the event log with the redacted victim message, which indicates that the malicious PowerShell executes the legitimate SolarWinds application by executing ” E:\Program Files (x86)\SolarWinds\Orion\SolarWinds.BusinessLayerHost. exe.”
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\”;$f=\”C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler.ashx.b6031896.dll\”;$bs=[Convert]::FromBase64String($b);[IO.File]::WriteAllBytes($f $bs)’ ‘S-1-0-0’ ‘-‘ ‘-‘ ‘0x0000000000000000’ ‘E:\Program Files (x86)\SolarWinds\Orion\SolarWinds.BusinessLayerHost.exe’ ‘S-1-16-16384’] Computer Name: [redacted].[redacted].net Record Number: 12551353 Event Level: 0
The file is a 32-bit .NET DLL that has been identified as a modified SolarWinds plugin. The modification includes the “DynamicRun” export function, which is designed to accept and parse the supplied parameters. The parameters should partially contain C# code, and the function will be compiled and executed directly in system memory. The purpose of the malware suggests that the attackers have discovered a vulnerability that enables the provision of a custom “HttpContext” data structure dynamically to the “ProcessRequest” function of a web application.
The ProcessRequest function takes the HttpContext data structure as a parameter. It uses the keys “codes”, “clazz”, “method” and “args” to parse some parts of the request substructure of the parent HttpContext data structure. The parsed data is placed in the corresponding variable codes, clazz, method and args. These four variables are then provided as parameters to the DynamicRun function described below.
The “DynamicRun” function is designed to accept C# code, then compile and execute it dynamically. The “codes” variable supplied to this function contains the actual C# code. clazz” variable provides the class name to be used when compiling the source code. method” variable will contain the name of the function that will be called for the newly compiled class.” The “args” variable will contain the arguments provided to the malicious class for execution.
After parsing and executing the provided code, the “ProcessRequest” function will continue to call the function named “WebSettingsDAL.get_NewNOCSiteLogo”. The analysis shows that this is a valid SolarWinds function designed to render the product logo on the web application.