CISA releases new malware analysis on Supernova

CISA releases new malware analysis on Supernova

The Cybersecurity and Infrastructure Security Agency (CISA) has released new malware analysis on Supernova that affects unpatched SolarWinds Orion software.

It is also important to point out that Supernova was not embedded within the Orion platform as a supply chain attack. However, attackers installed the malware directly on systems hosting SolarWinds Orion and disguised the malware as part of the SolarWinds product.

The DHS CISA report described Supernova in the new Malware Analysis Report (AR21-027A):

“This report describes the analysis of a PowerShell script that decodes and installs SUPERNOVA, a malicious webshell backdoor. SUPERNOVA is embedded in a trojanized version of the Solarwinds Orion Web Application module called ‘App_Web_logoimagehandler.ashx.b6031896.dll.’ The SUPERNOVA malware allows a remote operator to dynamically inject C# source code into a web portal provided via the SolarWinds software suite. The injected code is compiled and directly executed in memory.”

SolarWinds previously released an updated security advisory on the Supernova malware, a separate threat vector from the previously reported supply chain cyberattack that was based on Sunburst backdoor malware. The update also included new information on the 0-day CVE-2020-10148 and Proof of Concept (PoC) demo.

On a related note, CISA also warned the recent compromise by threat actors of SolarWinds posed a ‘grave risk’ to critical infrastructure, government and private sector organizations.

Related Articles