1. Home
  2. Software
  3. SUPERNOVA

SUPERNOVA

SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29's SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.[1][2][3][4][5]

ID: S0578
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 18 February 2021
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.[1][2]
Enterprise T1203 客户端执行漏洞利用

SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).[6][7]
Enterprise T1071 .001 应用层协议: Web Protocols

SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.[1][2]
Enterprise T1505 .003 服务器软件组件: Web Shell

SUPERNOVA is a Web shell.[2][1][4]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

SUPERNOVA contained Base64-encoded strings.[4]

References

  1. Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021.
  2. Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021.
  3. SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021.
  4. CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021.
  1. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  2. Carnegie Mellon University. (2020, December 26). SolarWinds Orion API authentication bypass allows remote command execution. Retrieved February 22, 2021.
  3. Stoner, J. (2021, January 21). Detecting Supernova Malware: SolarWinds Continued. Retrieved February 22, 2021.