Another Sophisticated .Net Malware from SolarWinds Hacks Internals
In this blog, is pretty much similar to the malware which i had reversed few days back is of the same trojanized bread of logic bomb planted on SolarWind Orion Software which acted as the backdooring the network traffic to the Russian Intelligence Agency APT29 command and control Servers. It’s here
the possibility that more APTs like Lazarus, StrongPity and APT40 is involved in this shady espionage operations. As we have been seeing now frequently the signs of involvement of collaboration of these groups in targeting U.S. and it’s allies.
It’s a .Net binary file and it’s logic bomb coded into the SolarWind.Orion binary file.
Static Analysis (Basic)
Static Analysis (Advanced)
Starting off with the ProcessRequest function of “LogoImageHandler” class, which is mainly this logic bomb execution point in communicating with the C2 (Command and Control) Server.
Mainly the malicious HTTP string that are being inserted as the logic bomb into the code of SolarWind Orion Software is the used for following communication with the Command and Control Server.
The string used for HTTP connection are :
Response is written in the Plain Text format with the call to DynamicRun function of LogoImageHandler class.
In the DynamicRun function does compiling operations of compiling the information that process while the communications with the C&C for which the Instance is being created using CreateInstance object.
Moving on to the Join string type function, strings passed in the communications are being processed in this function are returned as a local variable result before that the basic character type linked list operations happens in this function Join.
For the purpose of anti analysis threat actor made use of API flags whereas the object is being crafted by the threat actor which carries a value created by the CreateInstance.
Coming back to ProcessRequest function , now continuing from where we left it, after try method use the catch method crafting Exception using HttpUtility class which is stored in the as the local variable of NameValueCollection class & in that class all the keys and hashs are being stored for communications with Command and Control Server (aka C2/C&C).
Then just after that, you will encountered with try method which has all the hashs , keys to communicate with the command and control server (C&C ) so further here in this method try image with no logo is being fetched from the command and control server (C2) to infected device and all of this happen with the valid “id” for communication with C2 (aka C&C).
Dynamic Analysis (Advanced)
Registry Keys Set
Registry Keys Deleted
- %windir%\System32\svchost.exe -k WerSvcGroup
- wmiadap.exe /F /T /R
Indicators of Compromise (IOCs) & Detection
Att&ck Mitre Techniques
System Information Discovery
Sample from Report
SUPERNOVA: A Novel .NET Webshell, an Analysis
The actors behind the supply chain attack on SolarWinds' Orion software have demonstrated a high degree of technical…