{"id":5946,"date":"2021-02-01T09:09:32","date_gmt":"2021-02-01T17:09:32","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5946"},"modified":"2024-04-26T13:20:56","modified_gmt":"2024-04-26T20:20:56","slug":"supernova-malware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/","title":{"rendered":"Cyber Threat Advisory: SUPERNOVA Malware"},"content":{"rendered":"<p>Date: 28 January 21<\/p>\n<p>Author: Nick Sundvall and Yadu Nadh<\/p>\n<p>TLP:WHITE<\/p>\n<h3>1. Executive Summary<\/h3>\n<p>On 27 January, the Cybersecurity &amp; Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds\u2019 Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor &#8211; SUPERNOVA &#8211; allowing an attacker to inject and execute C# code into the SolarWinds software.<\/p>\n<h3>2. Analysis<\/h3>\n<p>2.1. PowerShell Script<\/p>\n<p>CISA reports that the PowerShell script, 1.ps1, contains a Base64 encoded, 32-bit .NET dynamic-link library (DLL). When the script executes, it uses Base64 to decode and install the DLL into the directory C:\\inetpub\\SolarWinds\\bin\\App_Web_logoimagehandler.ashx.b6031896.dll. This DLL includes a legitimate SolarWinds DLL, with the SUPERNOVA webshell added in.<\/p>\n<p>2.2. DLL<\/p>\n<p>CISA describes the 32-bit .NET DLL as \u201ca modified SolarWinds plug-in\u201d with the SUPERNOVA malware \u201cpatched into this plug-in.\u201d The modification changes the DynamicRun function, which is responsible for accepting C# code, as well as compiling and running it. This modification allows an attacker to provide custom HttpContext data structures to the application\u2019s ProcessRequest function.<\/p>\n<p>The ProcessRequest function accepts HttpContext data structures as arguments. It parses out certain sections of the structure using various keys and provides the related data from the keys as arguments to the DynamicRun function.<\/p>\n<p>The DynamicRun function accepts arguments containing pieces of C# code including the class name, function name, arguments passed to the function and actual code. After parsing the data from the arguments and combining it to create complete code, DynamicRun compiles and executes the code.<\/p>\n<h3>3. Prevention and Mitigation<\/h3>\n<p>CISA provides the following list of best practices to strengthen the security of an organization. In addition, CISA references the publication from the National Institute of Standards and Technology (NIST), \u201cGuide to Malware Incident Prevention &amp; Handling for Desktops and Laptops\u201d for more information on malware incident prevention and handling.2<\/p>\n<p>\u25cf Maintain up-to-date antivirus signatures and engines.<\/p>\n<p>\u25cf Keep operating system patches up-to-date.<\/p>\n<p>\u25cf Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.<\/p>\n<p>\u25cf Restrict users&#8217; ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.<\/p>\n<p>\u25cf Enforce a strong password policy and implement regular password changes.<\/p>\n<p>\u25cf Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.<\/p>\n<p>\u25cf Enable a personal firewall on workstations, configured to deny unsolicited connection requests.<\/p>\n<p>\u25cf Disable unnecessary services on workstations and servers.<\/p>\n<p>\u25cf Scan for and remove suspicious email attachments; ensure the scanned attachment is its &#8220;true file type&#8221; (i.e., the extension matches the file header).<\/p>\n<p>\u25cf Monitor users&#8217; web browsing habits; restrict access to sites with unfavorable content.<\/p>\n<p>\u25cf Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).<\/p>\n<p>\u25cf Scan all software downloaded from the Internet prior to executing.<\/p>\n<p>\u25cf Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).<\/p>\n<h3>4. Indicators of Compromise<\/h3>\n<table style=\"table-layout: fixed;\">\n<tbody>\n<tr style=\"background-color: #bbb;\">\n<td>\n<p style=\"text-align: center;\"><strong>Indicator<\/strong><\/p>\n<\/td>\n<td style=\"padding-right: 10px;\">\n<p style=\"text-align: center;\"><strong>Description<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p style=\"text-align: center;\">C:\\inetpub\\SolarWinds\\bin\\App_Web_logoimagehandler.ashx.b6031896.dll<\/p>\n<\/td>\n<td style=\"padding-right: 10px;\">\n<p style=\"text-align: center;\">SUPERNOVA<\/p>\n<p style=\"text-align: center;\">implant path<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p style=\"text-align: center;\">290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515<\/p>\n<p style=\"text-align: center;\">C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71<\/p>\n<p style=\"text-align: center;\">02c5a4770ee759593ec2d2ca54373b63dea5ff94da2e8b4c733f132c00fc7ea1<\/p>\n<\/td>\n<td style=\"padding-right: 10px;\">\n<p style=\"text-align: center;\">SHA256s<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1><\/h1>\n<p>Endnotes<\/p>\n<p>1. <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/analysis-reports\/ar21-027a\">https:\/\/us-cert.cisa.gov\/ncas\/analysis-reports\/ar21-027a<\/a><\/p>\n<p>2. <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final\">https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Date: 28 January 21 Author: Nick Sundvall and Yadu Nadh TLP:WHITE 1. Executive Summary On 27 January, the Cybersecurity &amp; Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds\u2019 Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6736,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[554],"tags":[189,32,379,433],"class_list":{"0":"post-5946","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-threat-advisory","8":"tag-cybersecurity","9":"tag-malware","10":"tag-solarwinds","11":"tag-supernova","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>SUPERNOVA Malware<\/title>\n<meta name=\"description\" content=\"SUPERNOVA Malware. On 27 January, the Cybersecurity &amp; Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds\u2019 Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor - SUPERNOVA - allowing an attacker to inject and execute C# code into the SolarWinds software.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Threat Advisory: SUPERNOVA Malware\" \/>\n<meta property=\"og:description\" content=\"SUPERNOVA Malware. On 27 January, the Cybersecurity &amp; Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds\u2019 Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor - SUPERNOVA - allowing an attacker to inject and execute C# code into the SolarWinds software.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-01T17:09:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-32.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"344\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Cyber Threat Advisory: SUPERNOVA Malware\",\"datePublished\":\"2021-02-01T17:09:32+00:00\",\"dateModified\":\"2024-04-26T20:20:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/\"},\"wordCount\":613,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-32.jpg\",\"keywords\":[\"Cybersecurity\",\"Malware\",\"SolarWinds\",\"Supernova\"],\"articleSection\":[\"Cyber Threat Advisory\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/\",\"name\":\"SUPERNOVA Malware\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-32.jpg\",\"datePublished\":\"2021-02-01T17:09:32+00:00\",\"dateModified\":\"2024-04-26T20:20:56+00:00\",\"description\":\"SUPERNOVA Malware. On 27 January, the Cybersecurity & Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds\u2019 Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor - SUPERNOVA - allowing an attacker to inject and execute C# code into the SolarWinds software.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-32.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-32.jpg\",\"width\":612,\"height\":344,\"caption\":\"Digital Cloud Computing, Cyber Security, Digital Data Network Protection, Future Technology Digital Data Network Connection Background Concept.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/supernova-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-threat-advisory\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Cyber Threat Advisory: SUPERNOVA Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SUPERNOVA Malware","description":"SUPERNOVA Malware. On 27 January, the Cybersecurity & Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds\u2019 Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor - SUPERNOVA - allowing an attacker to inject and execute C# code into the SolarWinds software.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Threat Advisory: SUPERNOVA Malware","og_description":"SUPERNOVA Malware. On 27 January, the Cybersecurity & Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds\u2019 Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor - SUPERNOVA - allowing an attacker to inject and execute C# code into the SolarWinds software.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/","og_site_name":"Infoblox Blog","article_published_time":"2021-02-01T17:09:32+00:00","article_modified_time":"2024-04-26T20:20:56+00:00","og_image":[{"width":612,"height":344,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-32.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Cyber Threat Advisory: SUPERNOVA Malware","datePublished":"2021-02-01T17:09:32+00:00","dateModified":"2024-04-26T20:20:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/"},"wordCount":613,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-32.jpg","keywords":["Cybersecurity","Malware","SolarWinds","Supernova"],"articleSection":["Cyber Threat Advisory"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/","name":"SUPERNOVA Malware","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-32.jpg","datePublished":"2021-02-01T17:09:32+00:00","dateModified":"2024-04-26T20:20:56+00:00","description":"SUPERNOVA Malware. On 27 January, the Cybersecurity & Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware affecting SolarWinds\u2019 Orion platform.1 Cybersecurity company FireEye has named the malware SUPERNOVA. Both CISA and SolarWinds assessed that SUPERNOVA is not related to the supply chain attack on SolarWinds that was discovered in December 2020 but was designed to appear as part of the SolarWinds product. The report details the analysis of a PowerShell script that installs a malicious webshell backdoor - SUPERNOVA - allowing an attacker to inject and execute C# code into the SolarWinds software.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-32.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-32.jpg","width":612,"height":344,"caption":"Digital Cloud Computing, Cyber Security, Digital Data Network Protection, Future Technology Digital Data Network Connection Background Concept."},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/supernova-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-threat-advisory\/"},{"@type":"ListItem","position":4,"name":"Cyber Threat Advisory: SUPERNOVA Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=5946"}],"version-history":[{"count":7,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5946\/revisions"}],"predecessor-version":[{"id":6065,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5946\/revisions\/6065"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6736"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=5946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=5946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=5946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}