The ongoing investigation into the SolarWinds supply chain cyberattack indicates the involvement of another APT group.
According to the new digital evidence analyzed by Microsoft 365 Defender Research Team, two separate threat actors might have abused SolarWinds’s Orion software. The latest threat actor dropped a similar backdoor on the targeted systems.
However, Microsoft didn’t share any name of the malware. It simply claims an additional malware in the Orion software code was identified that is most likely “unrelated to this compromise and used by a different threat actor.”
Trojanized Component in Orion Software Code
The Senior Staff Security Researcher at Palo Alto Networks, Matt Tennis, has named the backdoor installed in the SolarWinds Orion software.
Tennis reported last week that the SUPERNOVA webshell was injected in the Orion software code to run arbitrary code on machines running the software’s trojanized version.
SUPERNOVA Backdoor- A Bigger Threat?
SUPERNOVA is a trojanized variant of the legitimate .NET library (app_web_logoimagehandler.ashx.b6031896.dll), modified to allow the Orion software to evade automated defense mechanisms.
Orion software utilizes the DLL for exposing an HTTP API to help the host respond to other subsystems while querying for a certain GIF image.
Tennis claims that although .NET webshells are quite common, using a valid .NET program as a parameter to perform in-memory code execution is rare and makes SUPERNOVA a bigger threat.
It basically eliminates the involvement of additional network callbacks. On the other hand, other webshells run their payloads either in the runtime environment context or by calling a process/subshell such as Bash, CMD, or PowerShell.
One reason could be that SUPERNOVA doesn’t possess a digital signature, while the Sunburst/Solarigate malware, which trojanized the SolarWinds.Orion.Core.BusinessLayer.Dll library, had one.
The High-Quality Code
The SUPERNOVA malware code implemented in the legitimate DLL is of “relatively high quality” yet innocuous, stated Tennis.
He further revealed in a report published last week that the threat actor added four new parameters in the original SolarWinds file to receive signals from the C&C infrastructure.
The malware sample is currently available on VirusTotal, and almost 55 out of the 69 antivirus engines have detected it.
Malicious Code has Just One Method
It is identified that SUERNOVA’s code contains just a single method, dubbed DynamicRun. The method compiles the four parameters into a .NET assembly in memory. Hence, no artifacts are left on the compromised device’s disk.
Moreover, the attacker can send arbitrary code to the infected device to run it in the user’s context, mostly with high privileges and network visibility.
At the moment, it isn’t clear for how long the backdoor was installed in the Orion software. Intezer’s malware analysis indicated a compilation timestamp dating back to March 24, 2020.
A Second Hacker?
It is speculated that SUPERNOVA is used by a different adversary than the one who attacked FireEye and half a dozen US government organizations.
The malware has all the hallmarks of an advanced and sophisticated hacking group that has taken webshell compromise to a whole new level.
Initial SolarWinds Supply Chain Breach
Microsoft and Palo Alto Networks both have confirmed that SolarWinds’ Orion software breach is an APT group’s work. The supply chain attack was initially reported on December 8th when FireEye confirmed being targeted by a state-backed group that stole its Red Team assessment tools.
On December 13, SolarWinds announced that it was hacked and its software channel was compromised to puts out malicious updates on approx. 18,000 of its Orion platform users, referring to an ongoing supply chain attack.
This attack victim list is expanding day-by-day. It includes several US government entities, including the US Treasury and Commerce Department, Department of Homeland Security, US National Nuclear Security Administration, FireEye, and Microsoft.