Uncovering SUPERNOVA Malware

Another Sophisticated .Net Malware from SolarWinds Hacks Internals

In this blog, is pretty much similar to the malware which i had reversed few days back is of the same trojanized bread of logic bomb planted on SolarWind Orion Software which acted as the backdooring the network traffic to the Russian Intelligence Agency APT29 command and control Servers. It’s here
the possibility that more APTs like Lazarus, StrongPity and APT40 is involved in this shady espionage operations. As we have been seeing now frequently the signs of involvement of collaboration of these groups in targeting U.S. and it’s allies.

Analysis

It’s a .Net binary file and it’s logic bomb coded into the SolarWind.Orion binary file.

Signature Overview

File Information

File information in PE Studio shows that its .Net Runtime File.

Starting off with the ProcessRequest function of “LogoImageHandler” class, which is mainly this logic bomb execution point in communicating with the C2 (Command and Control) Server.

ProcessRequest function communication function with command and control server.

Mainly the malicious HTTP string that are being inserted as the logic bomb into the code of SolarWind Orion Software is the used for following communication with the Command and Control Server.

The string used for HTTP connection are :
….:- codes
…..:- clazz
…..:- method
…..:- args

try method in function ProcessRequest of LogoImageHandler class.

Response is written in the Plain Text format with the call to DynamicRun function of LogoImageHandler class.

In the DynamicRun function does compiling operations of compiling the information that process while the communications with the C&C for which the Instance is being created using CreateInstance object.

DynamicRun function.

Moving on to the Join string type function, strings passed in the communications are being processed in this function are returned as a local variable result before that the basic character type linked list operations happens in this function Join.

Join string function of string link-list type operations.

For the purpose of anti analysis threat actor made use of API flags whereas the object is being crafted by the threat actor which carries a value created by the CreateInstance.

Object CreateInstance called in DynamicRun function.
Returned invoke object from Dynamic Function.

Coming back to ProcessRequest function , now continuing from where we left it, after try method use the catch method crafting Exception using HttpUtility class which is stored in the as the local variable of NameValueCollection class & in that class all the keys and hashs are being stored for communications with Command and Control Server (aka C2/C&C).

Code of NameValueCollection class responsible for storing hashs, keys for C&C.

Then just after that, you will encountered with try method which has all the hashs , keys to communicate with the command and control server (C&C ) so further here in this method try image with no logo is being fetched from the command and control server (C2) to infected device and all of this happen with the valid “id” for communication with C2 (aka C&C).

Dynamic Analysis (Advanced)

Registry Key Set used by SuperNova Malware.
Registry Keys Deleted during Infection of SuperNova Malicious Trojan.
  • %windir%\System32\svchost.exe -k WerSvcGroup
  • wmiadap.exe /F /T /R

Indicators of Compromise (IOCs) & Detection

T1082

System Information Discovery

SUPERNOVA

MD5: 56ceb6d0011d87b6e4d7023d7ef85676

SHA1: 75af292f34789a1c782ea36c7127bf6106f595e8

SHA256: c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

YARA Signature

Yara signature for detection of SUPERNOVA Trojan.

References

Thankyou for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app