CISA identifies SUPERNOVA malware

On April 22, the Cybersecurity and Infrastructure Security Agency (CISA) released information about a newly discovered malware. CISA recently responded to an advanced persistent threat (APT) actor’s long-term compromise of an entity’s enterprise network, which began in at least March 2020. The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials.

SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials. (Note: for more information on SUPERNOVA, refer to Malware Analysis Report MAR-10319053-1.v1 – SUPERNOVA.) According to a SolarWinds advisory, SUPERNOVA is not embedded within the Orion platform as a supply chain attack; rather, an attacker places it directly on a system that hosts SolarWinds Orion, and it is designed to appear as part of the SolarWinds product.[1] CISA assesses this is a separate actor than the APT actor responsible for the SolarWinds supply chain compromise described in Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. Organizations that find SUPERNOVA on their SolarWinds installations should treat this incident as a separate attack.

This report provides tactics, techniques, and procedures (TTPs) CISA observed during an incident response engagement. (Note: this threat actor targeted multiple entities in the same period; some information in this Analysis Report is informed by other related incident response engagements and CISA’s public and private sector partners.) This APT actor has used opportunistic tradecraft, and much is still unknown about its TTPs.

For a downloadable copy of indicators of compromise (IOCs) associated with this malware, see AR21-112A.stix and Malware Analysis Report MAR-10319053-1.v1.stix.

Source: CISA