Names | SUPERNOVA | |
Category | Malware | |
Type | Backdoor | |
Description | (Palo Alto) In the analysis of the trojanized Orion artifacts, the .NET .dll app_web_logoimagehandler.ashx.b6031896.dll was dubbed SUPERNOVA, but little detail of its operation has been publicly explored. NOTE: The SUPERNOVA webshell’s association with the SolarStorm actors is now questionable due to the aforementioned .dll not being digitally signed, unlike the SUNBURST .dll. This may indicate that the webshell was not implanted early in SolarWinds’ software development pipeline as was SUNBURST, and was instead dropped by a third party. Additionally, Guidepoint Security conducted their own research into SUPERNOVA, with similar conclusions. | |
Information | <https://unit42.paloaltonetworks.com/solarstorm-supernova/> <https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/> <https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/> <https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a> <https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group> <https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112> | |
MITRE ATT&CK | <https://attack.mitre.org/software/S0578/> | |
Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova> |
Last change to this tool card: 30 December 2022
Download this tool card in JSON format
Changed | Name | Country | Observed | ||
APT groups | |||||
APT 29, Cozy Bear, The Dukes | 2008-Jun 2024 |
1 group listed (1 APT, 0 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |