SUPERNOVA
ID: S0578
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.1
Created: 18 February 2021
Last Modified: 10 April 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.[1][2] |
| Enterprise | T1203 | Exploitation for Client Execution |
SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).[6][7] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.[1][2] |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File | |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell | |
References
- Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021.
- Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021.
- SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021.
- CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- Carnegie Mellon University. (2020, December 26). SolarWinds Orion API authentication bypass allows remote command execution. Retrieved February 22, 2021.
- Stoner, J. (2021, January 21). Detecting Supernova Malware: SolarWinds Continued. Retrieved February 22, 2021.