Supernova malware clues link Chinese threat group Spiral to SolarWinds server hacks

Supernova Malware Links Chinese Threat Group Spiral to SolarWinds Server Hacks

SolarWinds servers have been exploited to deploy the malicious .NET web shell, Secureworks’ counter-threat unit (CTU) says and believes the attack can be attributed to China.

The researchers noted this while examining the exploit of SolarWinds servers to deploy malware. They do not believe, however, that these attacks are part of the notorious SolarWinds supply chain attacks from December 2020. 

On Monday, Secureworks’ counter threat unit (CTU) said in a new report that during late 2020, a compromised Internet-facing SolarWinds server was used as a base to deploy a notorious .NET web shell Supernova. 

Secureworks believes that similar intrusions on the same network indicate that the China-linked Spiral threat group is behind the attacks.

The researchers say CVE-2020-10148 has been actively exploited by Spiral. This vulnerability is a culprit of SolarWinds Orion API attacks and is described as an authentication bypass bug that is used for remote execution of API commands.

During an attack, cybercriminals deploy a script on vulnerable servers using a PowerShell command to write the Supernova web shell to disk.

Palo Alto Networks describes Supernova as an advanced web shell designed not only to maintain persistence but to compile “method, arguments and code data in-memory,” leaving little trace behind.

“The attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network,” Palo Alto says. 

The attackers can add to SolarWinds malicious C# code that is compiled on the fly during regular platform operations and is executed dynamically.

SecureWorks researchers have seen Supernova used for both credential and information theft. 

“CTU researchers have associated Chinese threat groups with network intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property,” the team writes in the report.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.