12-23-2020 , 05:23 PM
Quote:While analyzing artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor that is likely from a second threat actor.
Named SUPERNOVA, the malware is a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanized version of the software.
Another trojanized Orion component
The webshell is a trojanized variant of a legitimate .NET library (app_web_logoimagehandler.ashx.b6031896.dll) present in the Orion software from SolarWinds, modified in a way that would allow it to evade automated defense mechanisms.
Orion software uses the DLL to expose an HTTP API, allowing the host to respond to other subsystems when querying for a specific GIF image.
In a technical report last week, Matt Tennis, Senior Staff Security Researcher at Palo Alto Networks, says that the malware could potentially slip even manual analysis since the code implemented in the legitimate DLL is innocuous and is of “relatively high quality.”
The analysis shows that the threat actor added in the legitimate SolarWinds file four new parameters to receive signals from the command and control (C2) infrastructure.
The malicious code contains only one method, DynamicRun, which compiles on the fly the parameters into a .NET assembly in memory, thus leaving no artifacts on the disk of a compromised device.
Continue reading HERE