S0578 SUPERNOVA
SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29‘s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.12345
| Item | Value |
|---|---|
| ID | S0578 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 February 2021 |
| Last Modified | 23 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.12 |
| enterprise | T1203 | Exploitation for Client Execution | SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).67 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.12 |
| enterprise | T1027 | Obfuscated Files or Information | SUPERNOVA contained Base64-encoded strings.4 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | SUPERNOVA is a Web shell.214 |
References
-
Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021. ↩↩↩↩
-
Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021. ↩↩↩↩
-
SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021. ↩
-
CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021. ↩↩↩
-
MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. ↩
-
Carnegie Mellon University. (2020, December 26). SolarWinds Orion API authentication bypass allows remote command execution. Retrieved February 22, 2021. ↩
-
Stoner, J. (2021, January 21). Detecting Supernova Malware: SolarWinds Continued. Retrieved February 22, 2021. ↩