While analyzing the recent SolarWinds supply-chain attack security researchers have found a second backdoor, suggesting involvement of another hacker group, unrelated to the suspected government-backed threat actor that compromised SolarWinds to taint its official Orion software with malware.
Tracked as Supernova, the backdoor is a webshell injected into SolarWinds Orion code that would allow threat actors to execute arbitrary code on systems running the compromised version of Orion. Supernova web shell was used to download, compile and execute a malicious Powershell script (dubbed CosmicGale by some researchers). Additionally, Supernova does not have a digital signature, unlike the initially discovered Sunburst/Solarigate malware that trojanized the SolarWinds.Orion.Core.BusinessLayer.Dll library, which may indicate that there is a second hacker group at work.
According to Palo Alto, the webshell is a malicious version of a legitimate .NET library (app_web_logoimagehandler.ashx.b6031896.dll) present in the Orion app, designed to allow it to stay hidden from automated defense mechanisms.
Orion software uses the DLL to expose an HTTP API, allowing the host to respond to other subsystems when querying for a specific GIF image.
“SUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request,” the researchers said. “In other words, the attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network. The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically.”
Researchers have not been able to determine when the Supernova backdoor was first introduced in the Orion software.
Multiple researchers put together lists of organizations that had been affected by the SolarWinds supply-chain attack and had their internal systems infected with the Sunburst malware. The list include tech companies, local governments, universities, hospitals, banks, and telecom providers, with Cisco, SAP, Intel, VMWare, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense to name a few.