New SUPERNOVA Backdoor Found in SolarWinds Cyberattack Analysis

The four specifications codes, clazz, approach and args are passed by means of GET query string to the trojanized logo design handler element.


The attackers can then arbitrarily configure SolarWinds (and any local operating system function on Windows exposed by the.NET SDK) with malicious C# code. The code is assembled on the fly during benign SolarWinds operation and is performed dynamically.

The implant itself is a trojanized copy of app_web_logoimagehandler. ashx.b6031896.dll, which is an exclusive SolarWinds.NET library that exposes an HTTP API. The endpoint serves to react to queries for a specific.gif image from other components of the Orion software application stack.

The code is crafted to accept the parameters as parts of a valid.NET program, which is then compiled in memory. No executable is dropped and thus the webshells execution averts most defender endpoint detections.

These criteria are then carried out in a customized approach that just invokes the underlying operating system.

A webshell is typically malware reasoning embedded in a script page and is most often implemented in an interpreted shows language or context (commonly PHP, Java JSP, VBScript and JScript ASP, and C# ASP.NET).

An analysis reports the detection of a backdoor possibly established by the unknown hacking group involved in the attack; referred to as Supernova, this is a web shell injected into SolarWinds Orion code that would enable hazard actors to carry out arbitrary code on systems that utilize the jeopardized variation of the product.

The webshell will get commands from a remote server and will perform in the context of the web servers underlying runtime environment.

By leveraging the integrated trust of system administrators and routine tool patching, the webshell was implanted without raising any conventional alerts.

SUPERNOVA takes a valid.NET program as a parameter. The.NET class, method, arguments and code data are compiled and performed in memory. There is no need for additional network callbacks besides the initial C2 request.

The SUPERNOVA webshell is also obviously designed for secondary or upgraded persistence, however its novelty goes far beyond the standard webshell malware.

The assailant might send out a demand to the embedded webshell online or through an internally jeopardized system.

Implant Phase

The opponents have actually developed a full-grown and silent. NET API embedded in an Orion binary, whose user is typically highly fortunate and located with a high degree of visibility within an organizations network.

Technical Overview

Techniques, strategies and procedures

The malware is secretly ingrained onto a server, and after that receives C2 signals from another location and executes them in the context of the server user.


Apart from avoiding detections, the SolarStorm actors were skilled enough to deliberately conceal their traffic and behaviour in plain sight and to prevent leaving trace evidence behind.

According to the researchers, just by arranging several security home appliances and applications in a single pane can protectors discover these attacks.

Yet, SUPERNOVA is effective due to its in-memory execution, elegance in its specifications and execution and versatility by carrying out a complete programmatic API to the.NET runtime.

Palo Alto Networks consumers are secured by the following:

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Network defense orchestration with Cortex XSOAR.

SUPERNOVA takes a valid.NET program as a parameter. The.NET class, technique, arguments and code data are put together and executed in memory. There is no requirement for extra network callbacks other than the preliminary C2 request.

The implant itself is a trojanized copy of app_web_logoimagehandler. The endpoint serves to respond to questions for a specific.gif image from other elements of the Orion software application stack.