NET payloads at will, all within the context of SolarWinds. This functionality allows the attackers to compile and execute. If no errors arise during compilation, the malware instantiates the respective class, invokes the method passed as the third argument to the function, and returns the results.
#SOLARWINDS COMPROMISE CODE#
The last parameter passed to the in-memory compiler is the blob of C# source code supplied by the attacker’s HTTP request to be compiled. As you can see below, the GenerateInMemory parameter is set to true, meaning a physical assembly will not be written to disk, allowing minimal forensic artifacts to be created. NET CSharpCodeProvider class is the mechanism used to perform the in-memory compilation. NET assembly sent by the attackers over HTTP. These parameters will be used to compile and execute an in-memory. This method accepts a blob of C# source code, along with the class to instantiate, the method to invoke, and the method’s arguments. The DynamicRun() method is where the true functionality of the SUPERNOVA webshell resides. Once extracted, these four values will be passed to DynamicRun() to be executed, and the method’s return value will be written back to the attacker as an HTTP response. The additional code simply extracts data in the form of name-value from the Request property of an instance of the HttpContext class. The attackers added a try/catch block to the beginning of this method’s source code to parse part of the HTTP request and redirect control flow to the attacker’s DynamicRun() method.Īnd the weaponized ProcessRequest() with added try/catch block: The added DynamicRun() method is called by the ProcessRequest() method, which handles HTTP requests. The attackers injected an additional method, DynamicRun(), into the legitimate SolarWinds’ LogoImageHandler class from the App_Web_, turning the benign DLL into a sophisticated webshell.Ī legitimate instance of App_Web_:Ī weaponized instance of App_Web_: Below, we illustrate some of the key differences between the legitimate SolarWinds DLL and the weaponized ‘SUPERNOVA’ DLL. Modifying the legitimate SolarWindows DLL for malicious use required just a few key changes, and upon analysis appears deceptively ‘elegant’. The purpose of the original DLL is to serve up a user-configured logo to web pages in the Orion web application. NET library in the SolarWinds Orion web application. The SUPERNOVA web shell implant is a trojanized copy of a legitimate DLL. The Trojanized App_Web_logoimagehandler DLL
#SOLARWINDS COMPROMISE PATCH#
This backdoor was distributed as part of a trojanized MSI (Windows installer) patch and distributed via SolarWinds updating mechanisms. The sophisticated nature of the SolarWinds compromise has resulted in a flurry of new malware families, each with different characteristics and behaviors. Overview of SolarWinds’ Malware Components Further, we disclose some new Indicators of Compromise that may, in addition to previously documented IoCs, help security teams to detect when the malicious webshell is active. In this post, we provide an analysis of the SUPERNOVA trojan, describing how the weaponized DLL payload differs from the legitimate version it supplanted.
0 kommentar(er)
