SYMBOLCOMMON_NAMEaka. SYNONYMS
win.supernova (Back to overview)

SUPERNOVA

According to CISA, SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials.

References
2021-04-29CISACISA
@online{cisa:20210429:cisa:2edf608, author = {CISA}, title = {{CISA Identifies SUPERNOVA Malware During Incident Response}}, date = {2021-04-29}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar21-112a}, language = {English}, urldate = {2023-10-05} } CISA Identifies SUPERNOVA Malware During Incident Response
SUPERNOVA BRONZE SPIRAL
2021-04-22CISAUS-CERT
@online{uscert:20210422:ar21112a:98e8675, author = {US-CERT}, title = {{AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response}}, date = {2021-04-22}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a}, language = {English}, urldate = {2021-04-28} } AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response
SUPERNOVA
2021-04-22splunkJohn Stoner, Mick Baccio, Katie Brown, James Brodsky, Drew Church, Dave Herrald, Ryan Kovar, Marcus LaFerrera, Michael Natkin
@online{stoner:20210422:supernova:53b895c, author = {John Stoner and Mick Baccio and Katie Brown and James Brodsky and Drew Church and Dave Herrald and Ryan Kovar and Marcus LaFerrera and Michael Natkin}, title = {{SUPERNOVA Redux, with a Generous Portion of Masquerading}}, date = {2021-04-22}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html}, language = {English}, urldate = {2021-04-28} } SUPERNOVA Redux, with a Generous Portion of Masquerading
SUPERNOVA
2021-03-08SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210308:supernova:c12f8f7, author = {Counter Threat Unit ResearchTeam}, title = {{SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group}}, date = {2021-03-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group}, language = {English}, urldate = {2021-03-10} } SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group
SUPERNOVA BRONZE SPIRAL
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-27US-CERTUS-CERT
@online{uscert:20210127:malware:50ffa64, author = {US-CERT}, title = {{Malware Analysis Report (AR21-027A): MAR-10319053-1.v1 - Supernova}}, date = {2021-01-27}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a}, language = {English}, urldate = {2021-01-29} } Malware Analysis Report (AR21-027A): MAR-10319053-1.v1 - Supernova
SUPERNOVA BRONZE SPIRAL
2021-01-08US-CERTUS-CERT
@online{uscert:20210108:alert:874cda9, author = {US-CERT}, title = {{Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments}}, date = {2021-01-08}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-008a}, language = {English}, urldate = {2021-01-11} } Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
SUNBURST SUPERNOVA
2021-01-04splunkJohn Stoner
@online{stoner:20210104:detecting:c521df9, author = {John Stoner}, title = {{Detecting Supernova Malware: SolarWinds Continued}}, date = {2021-01-04}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html}, language = {English}, urldate = {2021-01-10} } Detecting Supernova Malware: SolarWinds Continued
SUPERNOVA
2020-12-31Youtube (Colin Hardy)Colin Hardy
@online{hardy:20201231:supernova:f852a43, author = {Colin Hardy}, title = {{SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShell}}, date = {2020-12-31}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=7WX5fCEzTlA}, language = {English}, urldate = {2021-01-04} } SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShell
SUPERNOVA
2020-12-26Twitter (@MalwareRE)Ramin Nafisi
@online{nafisi:20201226:active:6d96005, author = {Ramin Nafisi}, title = {{Tweet on active exploitation of 0day vulnerability in the SolarWinds Orion}}, date = {2020-12-26}, organization = {Twitter (@MalwareRE)}, url = {https://twitter.com/MalwareRE/status/1342888881373503488}, language = {English}, urldate = {2021-01-01} } Tweet on active exploitation of 0day vulnerability in the SolarWinds Orion
SUPERNOVA
2020-12-23Sentinel LABSMarco Figueroa, James Haughom, Jim Walter
@online{figueroa:20201223:solarwinds:ff463f0, author = {Marco Figueroa and James Haughom and Jim Walter}, title = {{SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan}}, date = {2020-12-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/}, language = {English}, urldate = {2020-12-26} } SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan
SUPERNOVA
2020-12-23Sentinel LABSMarco Figueroa, James Haughom, Jim Walter
@online{figueroa:20201223:solarwinds:993b625, author = {Marco Figueroa and James Haughom and Jim Walter}, title = {{SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan}}, date = {2020-12-23}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan}, language = {English}, urldate = {2022-07-25} } SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan
SUPERNOVA BRONZE SPIRAL
2020-12-18360Quake360Quake
@online{360quake:20201218:solarwinds:1b22539, author = {360Quake}, title = {{SolarWinds失陷服务器测绘分析报告}}, date = {2020-12-18}, organization = {360Quake}, url = {https://www.anquanke.com/post/id/226029}, language = {Chinese}, urldate = {2020-12-23} } SolarWinds失陷服务器测绘分析报告
SUPERNOVA
2020-12-18MicrosoftMicrosoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201218:analyzing:9486213, author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers}}, date = {2020-12-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/}, language = {English}, urldate = {2020-12-19} } Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-17Palo Alto Networks Unit 42Matthew Tennis
@online{tennis:20201217:supernova:5609635, author = {Matthew Tennis}, title = {{SUPERNOVA SolarWinds .NET Webshell Analysis}}, date = {2020-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarstorm-supernova}, language = {English}, urldate = {2022-07-25} } SUPERNOVA SolarWinds .NET Webshell Analysis
SUPERNOVA BRONZE SPIRAL
2020-12-17Palo Alto Networks Unit 42Matt Tennis
@online{tennis:20201217:supernova:74719e2, author = {Matt Tennis}, title = {{SUPERNOVA: SolarStorm’s Novel .NET Webshell}}, date = {2020-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarstorm-supernova/}, language = {English}, urldate = {2020-12-18} } SUPERNOVA: SolarStorm’s Novel .NET Webshell
SUPERNOVA
2020-12-16GuidePoint SecurityWes Riley
@online{riley:20201216:supernova:a000ff5, author = {Wes Riley}, title = {{SUPERNOVA SolarWinds .NET Webshell Analysis}}, date = {2020-12-16}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/}, language = {English}, urldate = {2020-12-17} } SUPERNOVA SolarWinds .NET Webshell Analysis
SUPERNOVA
2020-12-15Github (itsreallynick)Nick Carr
@online{carr:20201215:quick:5305f61, author = {Nick Carr}, title = {{A quick note from Nick Carr on COSMICGALE and SUPERNOVA that those are unrelated to UC2452 intrusion campaign}}, date = {2020-12-15}, organization = {Github (itsreallynick)}, url = {https://github.com/fireeye/sunburst_countermeasures/pull/5}, language = {English}, urldate = {2020-12-19} } A quick note from Nick Carr on COSMICGALE and SUPERNOVA that those are unrelated to UC2452 intrusion campaign
SUPERNOVA
2020-12-15Trend MicroTrend Micro
@online{micro:20201215:overview:70fc66a, author = {Trend Micro}, title = {{Overview of Recent Sunburst Targeted Attacks}}, date = {2020-12-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html}, language = {English}, urldate = {2020-12-16} } Overview of Recent Sunburst Targeted Attacks
SUPERNOVA
2020-12-14GuidePoint SecurityGuidePoint Security
@online{security:20201214:supernova:3e8aca7, author = {GuidePoint Security}, title = {{SUPERNOVA SolarWinds .NET Webshell Analysis}}, date = {2020-12-14}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis}, language = {English}, urldate = {2022-07-25} } SUPERNOVA SolarWinds .NET Webshell Analysis
SUPERNOVA BRONZE SPIRAL
2020-12-14SolarwindSolarwind
@online{solarwind:20201214:security:a763c2a, author = {Solarwind}, title = {{Security Advisory on SolarWinds Supply chain attack FAQ}}, date = {2020-12-14}, organization = {Solarwind}, url = {https://www.solarwinds.com/securityadvisory/faq}, language = {English}, urldate = {2021-01-04} } Security Advisory on SolarWinds Supply chain attack FAQ
SUNBURST SUPERNOVA
2020-12-14SolarwindSolarwind
@online{solarwind:20201214:security:68f32e4, author = {Solarwind}, title = {{Security Advisory on SolarWinds Supply chain attack}}, date = {2020-12-14}, organization = {Solarwind}, url = {https://www.solarwinds.com/securityadvisory}, language = {English}, urldate = {2021-01-01} } Security Advisory on SolarWinds Supply chain attack
SUNBURST SUPERNOVA
2020-12-13Github (fireeye)FireEye
@online{fireeye:20201213:sunburst:04e594f, author = {FireEye}, title = {{SUNBURST Countermeasures}}, date = {2020-12-13}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/sunburst_countermeasures}, language = {English}, urldate = {2020-12-19} } SUNBURST Countermeasures
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-13FireEyeAndrew Archer, Doug Bienstock, Chris DiGiamo, Glenn Edwards, Nick Hornick, Alex Pennino, Andrew Rector, Scott Runnels, Eric Scales, Nalani Fraiser, Sarah Jones, John Hultquist, Ben Read, Jon Leathery, Fred House, Dileep Jallepalli, Michael Sikorski, Stephen Eckels, William Ballenthin, Jay Smith, Alex Berry, Nick Richard, Isif Ibrahima, Dan Perez, Marcin Siedlarz, Ben Withnell, Barry Vengerik, Nicole Oppenheim, Ian Ahl, Andrew Thompson, Matt Dunwoody, Evan Reese, Steve Miller, Alyssa Rahman, John Gorman, Lennard Galang, Steve Stone, Nick Bennett, Matthew McWhirt, Mike Burns, Omer Baig, Nick Carr, Christopher Glyer, Ramin Nafisi, Microsoft
@online{archer:20201213:highly:9fe1728, author = {Andrew Archer and Doug Bienstock and Chris DiGiamo and Glenn Edwards and Nick Hornick and Alex Pennino and Andrew Rector and Scott Runnels and Eric Scales and Nalani Fraiser and Sarah Jones and John Hultquist and Ben Read and Jon Leathery and Fred House and Dileep Jallepalli and Michael Sikorski and Stephen Eckels and William Ballenthin and Jay Smith and Alex Berry and Nick Richard and Isif Ibrahima and Dan Perez and Marcin Siedlarz and Ben Withnell and Barry Vengerik and Nicole Oppenheim and Ian Ahl and Andrew Thompson and Matt Dunwoody and Evan Reese and Steve Miller and Alyssa Rahman and John Gorman and Lennard Galang and Steve Stone and Nick Bennett and Matthew McWhirt and Mike Burns and Omer Baig and Nick Carr and Christopher Glyer and Ramin Nafisi and Microsoft}, title = {{Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor}}, date = {2020-12-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html}, language = {English}, urldate = {2020-12-19} } Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
SUNBURST SUPERNOVA TEARDROP UNC2452
Yara Rules
[TLP:WHITE] win_supernova_w0 (20201216 | This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).)
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt

rule win_supernova_w0 {
    meta:
        author = "FireEye"
        description = "This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova"
        malpedia_version = "20201216"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $dynamic = "DynamicRun"
        $solar = "Solarwinds" nocase
        $string1 = "codes"
        $string2 = "clazz"
        $string3 = "method"
        $string4 = "args"

    condition:
            uint16(0) == 0x5a4d
        and
            uint32(uint32(0x3C)) == 0x00004550
        and
            filesize < 10KB
        and
            3 of ($string*)
        and
            $dynamic
        and
            $solar
}
[TLP:WHITE] win_supernova_w1 (20201216 | SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA.)
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
import "pe"

rule win_supernova_w1 {
    meta:
        author = "FireEye"
        description = "SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova"
        malpedia_version = "20201216"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $compile1 = "CompileAssemblyFromSource"
        $compile2 = "CreateCompiler"
        $context = "ProcessRequest"
        $httpmodule = "IHttpHandler" ascii
        $string1 = "clazz"
        $string2 = "//NetPerfMon//images//NoLogo.gif" wide
        $string3 = "SolarWinds" ascii nocase wide

    condition:
            uint16(0) == 0x5a4d
        and
            uint32(uint32(0x3C)) == 0x00004550
        and
            filesize < 10KB
        and
            pe.imports("mscoree.dll","_CorDllMain")
        and
            $httpmodule
        and
            $context
        and
            all of ($compile*)
        and
            all of ($string*)
}
Download all Yara Rules