The investigation of the SolarWinds Orion supply-chain attack revealed the existence of another backdoor that was likely used by a separate threat actor.
After the initial disclosure of the SolarWinds attack, several teams of researchers mentioned the existence of two second-stage payloads.
Researchers from Palo Alto Networks revealed that the malicious code is a tainted version of the legitimate .NET library “app_web_logoimagehandler.ashx.b6031896.dll” included in the SolarWinds Orion software.
“In the analysis of the trojanized Orion artifacts, the .NET .dll app_web_logoimagehandler.ashx.b6031896.dll was dubbed SUPERNOVA, but little detail of its operation has been publicly explored.” reads the analysis published by Palo Alto Networks.
“SUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request. In other words, the SolarStorm attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.”
At the time of this writing, it is not possible to determine when the SUPERNOVA backdoor was first implanted in the Orion software, the Creation Time is 2020-03-24 09:16:10, while the First Submission is dated 2020-11-24 19:55:35
The Orion software uses the DLL to expose an HTTP API, experts pointed out that relatively high-quality code implemented in the benign .dll is innocuous and allow to bypass defense measure and even potentially manual review.
The threat actor added four new parameters in the legitimate SolarWinds file to receive instructions from the command and control (C2) infrastructure.
|clazz||C# Class object name to instantiate|
|method||Method of class clazz to invoke|
|args||Arguments are newline-split and passed as positional parameters to method|
|codes||.NET assemblies and namespaces for compilation|
The four C2 parameters are processed and then passed to the malicious method DynamicRun() that compiles on the fly the parameters into a .NET assembly in memory. With this trick, no artifacts are saved on the disk allowing them to evade detection.
“The malware is secretly implanted onto a server, it receives C2 signals remotely and executes them in the context of the server user.” continues the analysis.
Researchers from Microsoft believe that the SUPERNOVA backdoor is the work of a second advanced persistent threat.
“In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor” reads the post published by Microsoft.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, SolarWinds)