DETECTION OVERVIEW

SUPERNOVA Web Shell

Risk Factors

SolarWinds Orion Platform vulnerabilities and the SUPERNOVA malware are well known. An unauthenticated attacker can run commands on servers with SUPERNOVA installed. This web shell can help an attacker establish command-and-control (C&C) communication, maintain a persistent presence on the network, and achieve attack campaign objectives.

Kill Chain

Command-and-Control

Risk Score

Attack Background

Attackers exploit a SolarWinds Orion API authentication bypass vulnerability to install the SUPERNOVA malware, which is a .NET web shell. The web shell can disguise C&C activity by impersonating a SolarWinds web service that retrieves logo images. The web shell also leverages the SolarWinds .NET library to compile code on the victim. When the attacker wants to run a command on the victim, the attacker sends an HTTP request for the logoimagehandler.ashx resource with custom parameters: args, clazz, codes, and method. These parameters enable the malware to compile and run the malicious code. After the code runs, the victim sends an HTTP response to the attacker with the status code of 200 and the content-type of "text/plain". SUPERNOVA malware is unsigned, differentiating it from the SUNBURST supply-chain attack on the SolarWinds Orion Platform.

Mitigation Options

Upgrade the Orion Platform: 2019.4 HF 6, 2020.2.1 HF 2, 2019.2 SUPERNOVA Patch, 2018.4 SUPERNOVA Patch, or 2018.2 SUPERNOVA Patch

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases