solarwinds hacker

SUPERNOVA Malware Analysis

Introduction

The report provides a detailed analysis of several malicious artifacts affecting the SolarWinds Orion product, identified by security firm FireEye as SUPERNOVA. according to SolarWinds’ advisory, SUPERNOVA was not embedded in the Orion platform as a supply chain attack. Rather, it was placed directly on the system hosting SolarWinds Orion by the attacker and designed to appear as part of the SolarWinds product.

The report describes the analysis of a PowerShell script that decodes and installs SUPERNOVA (a malicious Webshell backdoor), which is embedded in a file called ” App_Web_logoimagehandler.ashx. The SUPERNOVA allows remote operators to dynamically inject C# source code into the Web portal provided through the SolarWinds software suite. The injected code is compiled and executed directly in memory.

290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515

This file is an event log detailing the execution of a PowerShell script designed to perform decoding and install a 32-bit .NET dynamic link library (DLL) to the following location: “C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler. ashx. b6031896.dll (c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71), the DLL patched with the SUPERNOVA Trojan and is a legitimate SolarWinds DLL. replacement

Shown below is a portion of the event log with the redacted victim message, which indicates that the malicious PowerShell executes the legitimate SolarWinds application by executing ” E:\Program Files (x86)\SolarWinds\Orion\SolarWinds.BusinessLayerHost. exe.”

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\”;$f=\”C:\inetpub\SolarWinds\bin\App_Web_logoimagehandler.ashx.b6031896.dll\”;$bs=[Convert]::FromBase64String($b);[IO.File]::WriteAllBytes($f $bs)’ ‘S-1-0-0’ ‘-‘ ‘-‘ ‘0x0000000000000000’ ‘E:\Program Files (x86)\SolarWinds\Orion\SolarWinds.BusinessLayerHost.exe’ ‘S-1-16-16384’] Computer Name: [redacted].[redacted].net Record Number: 12551353 Event Level: 0

c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

The file is a 32-bit .NET DLL that has been identified as a modified SolarWinds plugin. The modification includes the “DynamicRun” export function, which is designed to accept and parse the supplied parameters. The parameters should partially contain C# code, and the function will be compiled and executed directly in system memory. The purpose of the suggests that the have discovered a vulnerability that enables the provision of a custom “HttpContext” data structure dynamically to the “ProcessRequest” function of a web application.

The ProcessRequest function takes the HttpContext data structure as a parameter. It uses the keys “codes”, “clazz”, “method” and “args” to parse some parts of the request substructure of the parent HttpContext data structure. The parsed data is placed in the corresponding variable codes, clazz, method and args. These four variables are then provided as parameters to the DynamicRun function described below.

The “DynamicRun” function is designed to accept C# code, then compile and execute it dynamically. The “codes” variable supplied to this function contains the actual C# code. clazz” variable provides the class name to be used when compiling the source code. method” variable will contain the name of the function that will be called for the newly compiled class.” The “args” variable will contain the arguments provided to the malicious class for execution.

After parsing and executing the provided code, the “ProcessRequest” function will continue to call the function named “WebSettingsDAL.get_NewNOCSiteLogo”. The analysis shows that this is a valid SolarWinds function designed to render the product logo on the web application.

supernova csharp

IOCs

4423a4353a0e7972090413deb40d56ad
8004d78e6934efb4dea8baf48a589c2c1ed10bf3
290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515

56ceb6d0011d87b6e4d7023d7ef85676
75af292f34789a1c782ea36c7127bf6106f595e8
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

a73fd263da660c56650426eff8299c7d
ab9ed07e59e1e284914ad6d6be74a0985dff703a
02c5a4770ee759593ec2d2ca54373b63dea5ff94da2e8b4c733f132c00fc7ea1