SUPERNOVA (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.supernova (Back to overview)

SUPERNOVA

VTCollection

According to CISA, SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials.

References

2021-04-29 ⋅ CISA ⋅ CISA
CISA Identifies SUPERNOVA Malware During Incident Response
SUPERNOVA BRONZE SPIRAL

2021-04-22 ⋅ CISA ⋅ US-CERT
AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response
SUPERNOVA

2021-04-22 ⋅ splunk ⋅ Dave Herrald, Drew Church, James Brodsky, John Stoner, Katie Brown, Marcus LaFerrera, Michael Natkin, Mick Baccio, Ryan Kovar
SUPERNOVA Redux, with a Generous Portion of Masquerading
SUPERNOVA

2021-03-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group
SUPERNOVA BRONZE SPIRAL

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-01-27 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR21-027A): MAR-10319053-1.v1 - Supernova
SUPERNOVA BRONZE SPIRAL

2021-01-08 ⋅ US-CERT ⋅ US-CERT
Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
SUNBURST SUPERNOVA

2021-01-04 ⋅ splunk ⋅ John Stoner
Detecting Supernova Malware: SolarWinds Continued
SUPERNOVA

2020-12-31 ⋅ Youtube (Colin Hardy) ⋅ Colin Hardy
SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShell
SUPERNOVA

2020-12-26 ⋅ Twitter (@MalwareRE) ⋅ Ramin Nafisi
Tweet on active exploitation of 0day vulnerability in the SolarWinds Orion
SUPERNOVA

2020-12-23 ⋅ Sentinel LABS ⋅ James Haughom, Jim Walter, Marco Figueroa
SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan
SUPERNOVA BRONZE SPIRAL

2020-12-23 ⋅ Sentinel LABS ⋅ James Haughom, Jim Walter, Marco Figueroa
SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan
SUPERNOVA

2020-12-18 ⋅ ⋅ 360Quake ⋅ 360Quake
SolarWinds失陷服务器测绘分析报告
SUPERNOVA

2020-12-18 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
SUNBURST SUPERNOVA TEARDROP UNC2452

2020-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Matthew Tennis
SUPERNOVA SolarWinds .NET Webshell Analysis
SUPERNOVA BRONZE SPIRAL

2020-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Matt Tennis
SUPERNOVA: SolarStorm’s Novel .NET Webshell
SUPERNOVA

2020-12-16 ⋅ GuidePoint Security ⋅ Wes Riley
SUPERNOVA SolarWinds .NET Webshell Analysis
SUPERNOVA

2020-12-15 ⋅ Github (itsreallynick) ⋅ Nick Carr
A quick note from Nick Carr on COSMICGALE and SUPERNOVA that those are unrelated to UC2452 intrusion campaign
SUPERNOVA

2020-12-15 ⋅ Trend Micro ⋅ Trend Micro
Overview of Recent Sunburst Targeted Attacks
SUPERNOVA

2020-12-14 ⋅ Solarwind ⋅ Solarwind
Security Advisory on SolarWinds Supply chain attack FAQ
SUNBURST SUPERNOVA

2020-12-14 ⋅ Solarwind ⋅ Solarwind
Security Advisory on SolarWinds Supply chain attack
SUNBURST SUPERNOVA

2020-12-14 ⋅ GuidePoint Security ⋅ GuidePoint Security
SUPERNOVA SolarWinds .NET Webshell Analysis
SUPERNOVA BRONZE SPIRAL

2020-12-13 ⋅ FireEye ⋅ Alex Berry, Alex Pennino, Alyssa Rahman, Andrew Archer, Andrew Rector, Andrew Thompson, Barry Vengerik, Ben Read, Ben Withnell, Chris DiGiamo, Christopher Glyer, Dan Perez, Dileep Jallepalli, Doug Bienstock, Eric Scales, Evan Reese, Fred House, Glenn Edwards, Ian Ahl, Isif Ibrahima, Jay Smith, John Gorman, John Hultquist, Jon Leathery, Lennard Galang, Marcin Siedlarz, Matt Dunwoody, Matthew McWhirt, Michael Sikorski, Microsoft, Mike Burns, Nalani Fraiser, Nick Bennett, Nick Carr, Nick Hornick, Nick Richard, Nicole Oppenheim, Omer Baig, Ramin Nafisi, Sarah Jones, Scott Runnels, Stephen Eckels, Steve Miller, Steve Stone, William Ballenthin
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
SUNBURST SUPERNOVA TEARDROP UNC2452

2020-12-13 ⋅ Github (fireeye) ⋅ FireEye
SUNBURST Countermeasures
SUNBURST SUPERNOVA TEARDROP UNC2452

Yara Rules

[TLP:WHITE] win_supernova_auto (20251219 | Detects win.supernova.)

rule win_supernova_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.supernova."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 1107 17 91 1f50 3339 1107 }
            // n = 6, score = 100
            //   1107                 | jo                  0x3b7
            //   17                   | sub                 dword ptr [eax], eax
            //   91                   | add                 byte ptr [edx], cl
            //   1f50                 | and                 eax, 0x286f
            //   3339                 | or                  dh, byte ptr [edx - 0x4f]
            //   1107                 | add                 dword ptr [eax], eax

        $sequence_1 = { 1308 03 6f0b00000a 6f1c00000a 1107 16 }
            // n = 6, score = 100
            //   1308                 | or                  dword ptr [eax], eax
            //   03                   | add                 byte ptr [edx], cl
            //   6f0b00000a           | pop                 ss
            //   6f1c00000a           | lea                 edx, [ebx]
            //   1107                 | add                 byte ptr [eax], al
            //   16                   | add                 dword ptr [0x22772], esp

        $sequence_2 = { 26 25 6f2800000a 72b1010070 }
            // n = 4, score = 100
            //   26                   | add                 byte ptr [ebx], dh
            //   25                   | or                  al, 0x72
            //   6f2800000a           | int                 0
            //   72b1010070           | add                 byte ptr [eax + 0x13], dh

        $sequence_3 = { 19 91 1f47 3329 }
            // n = 4, score = 100
            //   19                   | and                 byte ptr [ecx + 0x33000000], cl
            //   91                   | inc                 ecx
            //   1f47                 | push                ss
            //   3329                 | xchg                eax, ecx

        $sequence_4 = { 3341 1107 17 91 1f50 3339 }
            // n = 6, score = 100
            //   3341                 | or                  dword ptr [edi + 0x22], ebp
            //   1107                 | add                 byte ptr [eax], al
            //   17                   | or                  bl, dh
            //   91                   | add                 byte ptr [esi], dl
            //   1f50                 | adc                 dword ptr [edi], eax
            //   3339                 | mov                 gs, word ptr [ecx + 0x6f]

        $sequence_5 = { 1f0a 9d 6f0a00000a 1304 03 6f0b00000a }
            // n = 6, score = 100
            //   1f0a                 | and                 dword ptr [eax], eax
            //   9d                   | add                 byte ptr [edx], cl
            //   6f0a00000a           | fiadd               word ptr [esi + 0x13]
            //   1304                 | or                  dword ptr [ebx], eax
            //   03                   | outsd               dx, dword ptr [esi]
            //   6f0b00000a           | or                  eax, dword ptr [eax]

        $sequence_6 = { de00 03 6f0800000a 6f0e00000a }
            // n = 4, score = 100
            //   de00                 | or                  ch, byte ptr [edi + 0x2d]
            //   03                   | add                 byte ptr [eax], al
            //   6f0800000a           | or                  ch, byte ptr [edi + 0x35]
            //   6f0e00000a           | add                 byte ptr [eax], al

        $sequence_7 = { 3309 72e3000070 1308 2b5a 1107 }
            // n = 5, score = 100
            //   3309                 | adc                 dword ptr [edi], eax
            //   72e3000070           | pop                 ss
            //   1308                 | outsd               dx, dword ptr [esi]
            //   2b5a                 | pop                 ds
            //   1107                 | add                 byte ptr [eax], al

        $sequence_8 = { 16 91 2089000000 3341 }
            // n = 4, score = 100
            //   16                   | adc                 eax, dword ptr [esi]
            //   91                   | sub                 eax, dword ptr [edi]
            //   2089000000           | sub                 byte ptr [0x130a0000], dl
            //   3341                 | push                es

        $sequence_9 = { 7e01000004 7211010070 1109 6f2200000a de00 03 6f0b00000a }
            // n = 7, score = 100
            //   7e01000004           | adc                 al, byte ptr [eax]
            //   7211010070           | add                 byte ptr [edx], cl
            //   1109                 | sub                 eax, 0x6f051128
            //   6f2200000a           | adc                 dword ptr [eax], eax
            //   de00                 | add                 byte ptr [edx], cl
            //   03                   | jae                 0x33
            //   6f0b00000a           | add                 byte ptr [eax], al

    condition:
        7 of them and filesize < 50176
}

[TLP:WHITE] win_supernova_w0 (20201216 | This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).)

// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt

rule win_supernova_w0 {
    meta:
        author = "FireEye"
        description = "This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova"
        malpedia_version = "20201216"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $dynamic = "DynamicRun"
        $solar = "Solarwinds" nocase
        $string1 = "codes"
        $string2 = "clazz"
        $string3 = "method"
        $string4 = "args"

    condition:
            uint16(0) == 0x5a4d
        and
            uint32(uint32(0x3C)) == 0x00004550
        and
            filesize < 10KB
        and
            3 of ($string*)
        and
            $dynamic
        and
            $solar
}

[TLP:WHITE] win_supernova_w1 (20201216 | SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA.)

// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
import "pe"

rule win_supernova_w1 {
    meta:
        author = "FireEye"
        description = "SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova"
        malpedia_version = "20201216"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $compile1 = "CompileAssemblyFromSource"
        $compile2 = "CreateCompiler"
        $context = "ProcessRequest"
        $httpmodule = "IHttpHandler" ascii
        $string1 = "clazz"
        $string2 = "//NetPerfMon//images//NoLogo.gif" wide
        $string3 = "SolarWinds" ascii nocase wide

    condition:
            uint16(0) == 0x5a4d
        and
            uint32(uint32(0x3C)) == 0x00004550
        and
            filesize < 10KB
        and
            pe.imports("mscoree.dll","_CorDllMain")
        and
            $httpmodule
        and
            $context
        and
            all of ($compile*)
        and
            all of ($string*)
}

Download all Yara Rules

SUPERNOVA Propose Change

References

Yara Rules

SUPERNOVA