21
Security Threat Intelligence Report January 2021 In this issue SolarWinds hack special report − Industry impact − Indicators of compromise − Threat-hunting approaches
Security Threat Intelligence Report
January 2021
In this issue
SolarWinds hack special report
− Industry impact
− Indicators of compromise
− Threat-hunting approaches
Message from Mark Hughes
In the words of WIRED magazine, “Russia’s SolarWinds hack is a historic mess.” New revelations about this wide-reaching, trusted supply-chain attack are surfacing daily. In this special report, we’ve compiled the latest updates on the impact, indicators of
compromise and threat-hunting approaches from numerous sources. I suspect we’ll be hearing about the impact of this nation-state campaign for some time. We’ll endeavor to keep you informed. In the meantime, stay safe!
Mark Hughes Senior Vice President Offerings & Strategic Partners DXC Technology
About this report
Fusing a range of public and
proprietary information feeds,
including DXC’s global network
of security operations centers
and cyber intelligence services,
this report delivers an overview
of major incidents, insights into
key trends and strategic threat
awareness.
This report is a part of DXC Labs |
Security, which provides insights
and thought leadership to the
security industry.
Intelligence cutoff date:
January 22, 2021
Threat Updates
Massive SolarWinds hack widens
Industry impact
Malware components
• SUNBURST backdoor
• TEARDROP memory-resident implant
• SUPERNOVA a web shell implant/CosmicGale
PowerShell script
Multi-industry
Multi-industry
Multi-industry
Multi-industry
Multi-industry
Multi-industry
Table of contents 3
4
4
5
8
14
Security Threat Intelligence Report
2
Threat UpdatesMassive SolarWinds hack widens Details continue to emerge about the massive hack of Austin, Texas-based
SolarWinds, affecting potentially thousands of U.S. government agencies, tech firms
and Fortune 500 companies. On Dec. 13, 2020, SolarWinds confirmed that hackers
had inserted malware into a service that provided software updates for its Orion
platform, a widely used product that monitors the health of IT networks.
SolarWinds reported that as many as 18,000 customers may have installed the Orion
product with the malicious code, which can be used to move laterally within victims’
networks and email systems by adding authentication tokens and credentials to
Microsoft Active Directory domain accounts, according to the U.S. Cybersecurity and
Infrastructure Security Agency (CISA). The trusted supply chain attack is believed to
have gone unnoticed from March to December.
Several U.S. defense and security agencies formally blamed Russian nation-state
hackers, who appear to be associated with the group Cozy Bear, also known as
advanced persistent threat (APT) group 29, part of the SVR arm of Russian foreign
intelligence service. Russia has denied the allegations.
A wide range of intrusions has been reported:
• The malware was discovered by security firm FireEye, which announced an
intrusion and the theft of about 300 proprietary software tools, including Red Team
penetration testing tools used by its customers to identify vulnerabilities in their IT
operations. FireEye quickly identified the SolarWinds backdoor as the source of the
hack.
• Microsoft disclosed in December that hackers had viewed some of the software
company’s source code, but had been unable to modify the code or compromise
Microsoft’s products and services. Microsoft then took control over a key domain,
avsvmcloud.com, which had been used by the SolarWinds hackers to communicate
with systems compromised by the backdoored Orion product updates. Microsoft
said it had identified more than 40 customers that the hackers had targeted more
precisely and compromised.
• The SolarWinds hack is believed to have impacted at least 10 federal agencies,
including email systems at the U.S. Treasury and the Department of Commerce and
business systems of the U.S. Department of Energy and National Nuclear Security
Administration, which maintains the country’s nuclear stockpile. In response,
CISA issued an emergency directive requiring all federal agencies to immediately
disconnect the affected Orion products from their networks.
• Email security vendor Mimecast disclosed in January that a certificate that is used
to authenticate several of the company’s products to Microsoft 365 Exchange
Web Services was compromised. The company believes about 10 percent of its
customers use the compromised connection, but the number of Microsoft 365
tenants actually targeted was in the low single digits.
33,000Total number of SolarWinds Orion
customers
18,000Customers that may have installed the
Orion product with malicious code
Source: KrebsonSecurity
11Number of major federal,
state and local agencies that
have confirmed SolarWinds
compromises
Source: Business Insider
Security Threat Intelligence Report
3
Several names are being used to identify the attack:
• Microsoft labeled the attack “Solarigate” in Windows Defender.
• FireEye is tracking the campaign as UNC2452.
• Volexity, which named the malware Dark Halo, has attributed the attack to
incidents investigated as far back as 2019.
• CrowdStrike has given the name StellarParticle.
ImpactIn addition to stealing sensitive information, hackers could potentially alter or destroy
records, improve their ability to access new targets, and use stolen information
to extort individuals working for government and private sector organizations. An
estimated 80 percent of victims were located in the United States; however, seven
other countries could be affected: Canada, Mexico, the United Kingdom, Belgium,
Spain, Israel and the United Arab Emirates. Attempts to compromise security and
technology companies indicate the hackers were trying to insert the malware into
other widely used software products to propagate it on an even wider basis.
Malware components
Attackers are using four major malware components:
• SUNBURST: A .NET backdoor written in C#. This backdoor was distributed as part of
a trojanized MSI (Windows installer) patch and distributed via SolarWinds updating
mechanisms. SUNSPOT is the name given to code used to inject the SUNBURST
malware into SolarWinds Orion platform.
• Teardrop: a memory-resident implant primarily used to distribute the Cobalt Strike
beacon payload.
SolarWinds products impacted:
Orion Platform versions 2019.4 HF 5,
2020.2 with no hotfix installed, or
with 2020.2 HF 1
Application Centric Monitor (ACM)
Database Performance Analyzer
Integration Module* (DPAIM*)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
NetFlow Traffic Analyzer (NTA)
Network Automation Manager (NAM)
Network Configuration Manager
(NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SRM)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager
(VNQM)
User Device Tracker (UDT)
Web Performance Monitor (WPM)
Source: SolarWinds
Security Threat Intelligence Report
4
• RAINDROP appears to be similar to the Teardrop tool with two key differences:
Teardrop was delivered by the initial SUNBURST backdoor, while RAINDROP appears
to have been used for spreading across the victim’s network.
• SUPERNOVA: This component refers to a web shell implant used to distribute and
execute additional code on exposed hosts.
• Cosmicgale: These malicious PowerShell scripts are executed on compromised
hosts by SUPERNOVA to steal credentials. Some researchers have assigned this
name to the script.
Attack phase 1: SUNBURST backdoor
SolarWinds file weaponized
File name: SolarWinds.Orion.Core.BusinessLayer.dll
Hashes: b91ce2fa41029f6955bff20079468448 or
846e27a652a5e1bfbd0ddd38a16dc865 or 2c4a910a1299cdae2a4e55988a2f102e
File location: C:\WINDOWS\SysWOW64\netsetupsvc.dll
Other file hashes to search for:
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds-signed plugin component.
SUNBURST is executed when a compromised SolarWinds Orion service starts and
loads its plugins. The backdoor functions are believed to be contained in an added
class/name space called SolarWinds.Orion.Core.OrionImprovementBusinessLayer.
This naming convention was most likely chosen to avoid detection by security teams
and SolarWinds coders. The malware will remain dormant for up to 2 weeks once it is
on the targeted system. During this time the malware identifies antivirus processes,
services and drivers, and endpoint protection/detection processes, services and
drivers.
Upon awakening, the malware executes a command named “Jobs.”
Security Threat Intelligence Report
5
”Jobs” functions include:
• Execute files
• Transfer files
• Collect system information
• Disable system services
The malware attempts to remain undetected by blending its network traffic with
SolarWinds activity. Malware network traffic hides and resembles traffic within the
Orion Improvement Program (OIP). Upon execution, the dynamic link library (DLL) will
attempt the following actions:
• Attempt to resolve a subdomain of avsvmclou.com
• Download additional malware
• Elevate privileges (Some researchers believe this occurs during dormant stage as
well.)
• Move laterally within the environment (Some researchers believe this occurs during
dormant stage as well.)
• Exfiltrate data
If successful in resolving to avsvmclou.com, the DNS response will deliver a CNAME
record that directs to a C2 domain. This is referred to as secondary C2 activity.
Prior to reaching out to avsvmcloud domain, SUNBURST will attempt to resolve the
following name:
api.solarwinds.com
Note: Microsoft, FireEye and GoDaddy seized the avsvmcloud.com domain. This
domain was used by the threat actors to communicate with the compromised
systems.
According to the Microsoft Threat Intelligence Center, the C2 domain comprises four
different parts:
• Three come from strings that are hard-coded in the backdoor.
• One component is generated dynamically based on some unique information
extracted from the device.
Every affected device generates a different subdomain/C2 to contact.
Security Threat Intelligence Report
6
The dynamically generated portion of the domain is computed by hashing the
following data:
• The physical address of the network interface
• The domain name of the device
• The content of the MachineGuid registry value from the key: HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Cryptography
Examples of final URLs generated by the backdoor:
• hxxps://3mu76044hgf7shjf[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com /swip/upd/
Orion[.]Wireless[.]xml
• hxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-2[.]avsvmcloud[.]com /pki/
crl/492-ca[.]crl
• hxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-1[.]avsvmcloud[.]com /fonts/
woff/6047-freefont-ExtraBold[.]woff2
It is expected that all compromised machines will attempt to reach out the
avsvmcloud.com domain; however, this cannot be confirmed at this time.
Threat actors appear to pick targets of interest to deploy the second-stage malware,
which is the Teardrop malware.
Flow chart provided by FireEye.
SUNBURST hunting:
1. Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1
and if so, assert which networks are managed by it (likely all or most of your
network).
2. CISA recommends disconnecting and powering down affected versions of
SolarWinds Orion.
Security Threat Intelligence Report
7
3. Check for the following indicators: SolarWinds.Orion.Core.BusinessLayer.dll
present. It may be located in two places:
• %PROGRAMFILES%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.
dll
• %WINDIR%\System32\config\systemprofile\AppData\Local\assembly\
tmp\<VARIES>\SolarWinds.Orion.Core.BusinessLayer.dll
The malicious version uses this Signer and SignerHash:
• “Signer”: “Solarwinds Worldwide LLC”
• “SignerHash”: “47d92d49e6f7f296260da1af355f941eb25360c4”
• The existence of the file C:\WINDOWS\SysWOW64\netsetupsvc.dll may indicate a
compromise.
• Check for outbound traffic to hostnames in the avsvmcloud.com domain (e.g.,
review DNS logs).
Attack Phase 2: Teardrop memory-resident implant
Teardrop is a memory-resident implant and malware dropper used to distribute the
Cobalt Strike beacon payload. The teardrop attack is deployed against targets the
attackers consider to be high value.
File hashes:
SHA256:
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
(Symantec)
SHA256: 817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
(Symantec)
SHA256: 118189f90da3788362fe85eafa555298423e21ec37f147f3bf88c61d4cd46c51
Three variants of teardrop have been observed. Each variant is differentiated by the
.jpg file it reads:
• upbeat_anxiety.jpg (Symantec)
• festive_computer.jpg (Symantec)
• graciious_truth.jpg (FireEye)
All variants behave similarly and are used to deliver the Cobalt Strike commodity
malware. Current indications suggest Teardrop can drop other malware as well.
Teardrop characteristics and flow:
• Runs in memory.
• Registers a Windows service.
• Checks the Windows registry for: HKU\\SOFTWARE\\Microsoft\\CTF
Security Threat Intelligence Report
8
• Decodes an embedded payload using a custom, rolling XOR algorithm.
• Manually loads into memory an embedded payload using a custom, portable
executable (PE) file format.
• All Teardrop samples the payload dropped are CobaltStrike.
• CobaltStrike then connects to infinitysoftwares.com for command and control.
• Some samples: CobaltStrike payload connects to ervsystem.com for command and
control.
Teardrop’s control flow
A DLL export function named “Tk_CreateImageType” is called during the service’s
execution. This function writes a JPEG image to the current directory:
• upbeat_anxiety.jpg (Symantec)
• festive_computer.jpg (Symantec)
• gracious_truth.jpg (FireEye)
Attack Phase 2: Second stage malware RAINDROP
RAINDROP is a DLL, built from a modified version of 7-Zip source code and also used
to distribute the Cobalt Strike beacon payload. Discovered by Symantec, RAINDROP
is a loader that delivers a payload of Cobalt Strike, used for spreading across the
victim’s network. 7-Zip has a history of abuse.
The DLL is compiled where the Name file of the Export Directory Table is 7-zip.dll
(Note: The 7-Zip application will not launch.)
The export names are:
• DllCanUnloadNow
• DllGetClassObject
• DllRegisterServer
• DllUnregisterServer
Plus, one of the following, selected at random:
• Tk_DistanceToTextLayout
• Tk_GetScrollInfoObj
• Tk_MainLoop
• XGetGeometry
Security Threat Intelligence Report
9
Raindrop will perform the following upon execution:
• Extract the encoded payload.
• Decrypt the extracted payload using the AES algorithm in CBC mode.
• Decompress the decrypted payload using the LZMA algorithm.
• Decrypt the decompressed payload. This is simple XOR with byte key.
• Execute the decrypted payload as shellcode.
TEARDROP and RAINDROP packer comparision:
TEARDROP RAINDROP
Payload format Custom, reusing features
from PE format. It may
be possible to reuse the
packer with a range of
different payloads supplied
as PE DLLs with automatic
conversion.
Shellcode only
Payload embedding Binary blob in data section Steganography, stored at
pre-determined locations
within the machine code
Payload encryption visualDecrypt combined
with XOR using long key
AES layer before
decompression; separate
XOR layer using one byte
key after decompression
Payload compression None LZMA
Obfuscation Reading JPEG file. Inserted
blocks of junk code, some
could be generated using a
polymorphic engine
Non-functional code to
delay execution
Export names Export names vary, in some
cases names overlapping
with Tcl/Tk projects
Export names overlap with
Tcl/Tk projects
Stolen code Byte-copy of machine code
from pre-existing third-
party components. The
original code is distributed
in compiled format only.
Recompiled third-party
source code
Source: Symantec
Security Threat Intelligence Report
10
TEARDROP and RAINDROP similarities:
TEARDROP
SHA256 b820e8a2057112d0ed73bd7995201dbed
79a79e13c79d4bdad81a22f12387e07
URLs https(://)infinitysoftwares(.)com/files/
information_055.pdf
https(://)infinitysoftwares(.)com/wp-
admin/new_file.php
POST FORM name="uploaded_1";filename="33139.pdf"
Content-Type: text/plain
RAINDROP
SHA256 be9dbbec6937dfe0a652c0603d4972ba3
54e83c06b8397d6555fd1847da36725
URLs https(://)bigtopweb(.)com/files/page_306.
https(://)bigtopweb(.)com/wp-admin/
admin-ajax.php
POST FORM name="uploaded_1";filename="84921.
pdf" Content-Type: text/plain
RAINDROP
SHA256 f2d38a29f6727f4ade62d88d8a68de0d52
a0695930b8c92437a2f9e4de92e418
URLs https(://)panhardware(.)com/files/
documentation_076.pdf
https(://)panhardware(.)com/wp-admin/
new_file.php
POST FORM name="uploaded_1";filename="18824.
pdf" Content-Type: text/plain
RAINDROP indicators of compromise:
SHA256 Description
f2d38a29f6727f4ade62d88d8a68de0
d52a0695930b8c92437a2f9e4de92e4
18
astdrvx64.dll & sddc.dll (Raindrop)
be9dbbec6937dfe0a652c0603d4972b
a354e83c06b8397d6555fd1847da367
25
bproxy.dll (Raindrop)
955609cf0b4ea38b409d523a0f675d8
404fee55c458ad079b4031e02433fdbf
3
cbs.dll (Raindrop)
Source: Symantec
Security Threat Intelligence Report
11
Transition from Solorigate backdoor to Cobalt Strike:
According to Microsoft, most machines running the backdoor version of the
SolarWinds DLL communicated with the initial randomly generated DNS domain
(.avsvmcloud.com) A large number of these machines did not see further activity.
Microsoft did identify limited cases in May and June in which the initial DNS network
communication was closely followed by network activity on port 443 (HTTPS) to other
legit-looking domains.
The Solorigate backdoor only activates for certain victim profiles, and when this
happens, the executing process (usually SolarWinds.BusinessLayerHost.exe) creates
two files on disk:
• A VBScript, typically named after existing services or folders to blend into
legitimate activities on the machine
• A second-stage DLL implant, a custom Cobalt Strike loader, typically compiled
uniquely per machine and written into a legitimate-looking subfolder in: %WinDir%
(e.g., C:\Windows)
The Cobalt Strike loader analysis by Microsoft identified several second-stage
malware types.
TEARDROP, RAINDROP, and other custom loaders for the Cobalt Strike beacon.
During the lateral movement phase, the custom loader DLLs are dropped mostly in
existing Windows sub-directories. Some example paths include:
• C:\Windows\ELAMBKUP\WdBoot.dll
• C:\Windows\Registration\crmlog.dll
• C:\Windows\SKB\LangModel.dll
• C:\Windows\AppPatch\AcWin.dll
• C:\Windows\PrintDialog\appxsig.dll
• C:\Windows\Microsoft.NET\Framework64\sbscmp30.dll
• C:\Windows\Panther\MainQueueOnline.dll
• C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.dll
• C:\Windows\LiveKernelReports\KerRep.dll
Source: Microsoft
Security Threat Intelligence Report
12
Legitimate Windows file/directory Malicious custom loader
C:\Windows\ELAMBKUP\WdBoot.sys C:\Windows\ELAMBKUP\WdBoot.dll
C:\Windows\Registration\CRMLog C:\Windows\Registration\crmlog.dll
C:\Windows\SKB\LanguageModels C:\Windows\SKB\LangModel.dll
C:\Windows\AppPatch\AcRes.dll C:\Windows\AppPatch\AcWin.dll
C:\Windows\PrintDialog\
appxsignature.p7x
C:\Windows\PrintDialog\appxsig.dll
C:\Windows\Microsoft.NET\
Framework64\sbscmp10.dll
C:\Windows\Microsoft.NET\
Framework64\sbscmp30.dll
C:\Windows\Panther\
MainQueueOnline0.que
C:\Windows\Panther\MainQueueOnline.
dll
C:\Windows\assembly\GAC_64\
MSBuild\ 3.5.0.0__b03f5f7f11d50a3a\
MSBuild.exe
C:\Windows\assembly\GAC_64\MSBuild\
3.5.0.0__b03f5f7f11d50a3a\msbuild.dll
Custom Cobalt Strike Beacon loader (SHA-256):
118189f90da3788362fe85eafa555298423e21ec37f147f3bf88c61d4cd46c51
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
1ec138f21a315722fb702706b4bdc0f544317f130f4a009502ec98345f85e4ad
2a276f4b11f47f81dd2bcb850a158d4202df836769da5a23e56bf0353281473e
327f1d94bc26779cbe20f8689be12c7eee2e390fbddb40b92ad00b1cddfd6426
3985dea8e467c56e8cc44ebfc201253ffee923765d12808aaf17db2c644c4c06
557f91404fb821d7c1e98d9f2f5296dc12712fc19c87a84602442b4637fb23d4
5cf85c3d18cd6dba8377370883a0fffda59767839156add4c8912394f76d6ef0
5f8650ca0ed22ad0d4127eb4086d4548ec31ad035c7aec12c6e82cb64417a390
674075c8f63c64ad5fa6fd5e2aa6e4954afae594e7b0f07670e4322a60f3d0cf
6ff3a4f7fd7dc793e866708ab0fe592e6c08156b1aa3552a8d74e331f1aea377
7c68f8d80fc2a6347da7c196d5f91861ba889afb51a4da4a6c282e06ef5bdb7e
915705c09b4bd108bcd123fe35f20a16d8c9c7d38d93820e8c167695a890b214
948bfdfad43ad52ca09890a4d2515079c29bdfe02edaa53e7d92858aa2dfbe4c
955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3
b348546f4c6a9bcafd81015132f09cf8313420eb653673bf3d65046427b1167f
b35e0010e0734fcd9b5952ae93459544ae33485fe0662fae715092e0dfb92ad3
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
be9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725
c5a818d9b95e1c548d6af22b5e8663a2410e6d4ed87df7f9daf7df0ef029872e
c741797dd400de5927f8b5317165fc755d6439749c39c380a1357eac0a00f90c
c7924cc1bc388cfcdc2ee2472899cd34a2ef4414134cbc23a7cb530650f93d98
c96b7a3c9acf704189ae8d6124b5a7b1f0e8c83c246b59bc5ff15e17b7de4c84
cbbe224d9854d6a4269ed2fa9b22d77681f84e3ca4e5d6891414479471f5ca68
cdd9b4252ef2f6e64bccc91146ec5dc51d94e2761184cd0ffa9909aa739fa17e
dbd26ccb3699f426dc6799e218b91d1a3c1d08ad3006bc2880e29c755a4e2338
e60e1bb967db273b922deeea32d56fc6d9501a236856ef9a3e5f76c1f392000a
f2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418
f61a37aa8581986ba600286d65bb76100fb44e347e253f1f5ad50051e5f882f5
f81987f1484bfe5441be157250b35b0a2d7991cf9272fa4eacd3e9f0dee235de
Source: Microsoft
Source: Microsoft
Security Threat Intelligence Report
13
File paths for the custom Cobalt Strike Beacon loader:
C:\Windows\ms\sms\sms.dll
C:\Windows\Microsoft.NET\Framework64\sbscmp30.dll
C:\Windows\AUInstallAgent\auagent.dll
C:\Windows\apppatch\apppatch64\sysmain.dll
C:\Windows\Vss\Writers\Application\AppXML.dll
C:\Windows\PCHEALTH\health.dll
C:\Windows\Registration\crmlog.dll
C:\Windows\Cursors\cursrv.dll
C:\Windows\AppPatch\AcWin.dll
C:\Windows\CbsTemp\cbst.dll
C:\Windows\AppReadiness\Appapi.dll
C:\Windows\Panther\MainQueueOnline.dll
C:\Windows\AppReadiness\AppRead.dll
C:\Windows\PrintDialog\PrintDial.dll
C:\Windows\ShellExperiences\MtUvc.dll
C:\Windows\PrintDialog\appxsig.dll
C:\Windows\DigitalLocker\lock.dll
C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.dll
C:\Windows\Migration\WTR\ctl.dll
C:\Windows\ELAMBKUP\WdBoot.dll
C:\Windows\LiveKernelReports\KerRep.dll
C:\Windows\Speech_OneCore\Engines\TTS\en-US\enUS.Name.dll
C:\Windows\SoftwareDistribution\DataStore\DataStr.dll
C:\Windows\RemotePackages\RemoteApps\RemPack.dll
C:\Windows\ShellComponents\TaskFlow.dll
Cobalt Strike Beacon:
aimsecurity[.]net
datazr[.]com
ervsystem[.]com
financialmarket[.]org
gallerycenter[.]org
infinitysoftwares[.]com
mobilnweb[.]com
olapdatabase[.]com
swipeservice[.]com
techiefly[.]com
Attack Phase 3: SUPERNOVA web shell and CosmicGale PowerShell script
Initially, researchers believed SUPERNOVA and CosmicGale were embedded with
SUNBURST. Further research by multiple firms has determined that may not be the
case.
Researcher Nick Carr at Microsoft believes the SUPERNOVA web shell was not part of
the original attack chain.
https://github.com/fireeye/SUNBURST_countermeasures/pull/5
Security Threat Intelligence Report
14
According to Carr, “The SUPERNOVA web shell appears to be planted on SolarWinds
Orion installations that have been left exposed online and been compromised with
exploits similar to a vulnerability tracked as CVE-2019-8917.”
CVE-2019-8917 detail
SolarWinds Orion NPM (before 12.4) suffers from a SYSTEM remote code execution
vulnerability in the OrionModuleEngine service. This service establishes a
NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and
call publicly exposed methods. The InvokeActionMethod method may be abused by
an attacker to execute commands as the SYSTEM user.
Researchers at Guidepoint, Symantec and Palo Alto Networks indicated that
SUPERNOVA and CosmicGale are part of the SolarWinds compromise; however,
subsequent research has shown this may not be the case.
The confusion that SUPERNOVA was related to the SUNBURST/Teardrop attack chain
can be attributed to the following:
• Both SUNBURST and SUPERNOVA are disguised as a DLL for the Orion app
• SUNBURST is hidden inside the SolarWinds.Orion.Core.BusinessLayer.dll file as
discussed above
• SUPERNOVA inside App_Web_logoimagehandler.ashx.b6031896.dll
Microsoft researchers claim the difference in TTPs between SUNBURST and
SUPERNOVA as the reason the malware is unrelated:
• SUPERNOVA was not signed and uncharacteristic for the attackers that created
SUNBURST
• Dummy buffer code added to the Orion app code was not present in SUPERNOVA.
SolarWinds announced on December 31, “SUPERNOVA is not malicious code
embedded within the builds of our Orion® Platform as a supply chain attack. It is
malware that is separately placed on a server that requires unauthorized access to a
customer’s network and is designed to appear to be part of a SolarWinds product.
“The SUPERNOVA malware consisted of two components. The first was a malicious,
unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically
written to be used on the SolarWinds Orion Platform.
“The second is the utilization of a vulnerability in the Orion Platform to enable
deployment of the malicious code. This vulnerability in the Orion Platform has been
resolved in the latest updates.”
SUPERNOVA web shell
The SUPERNOVA web shell is a weaponized version of the legitimate DLL .NET library
in the SolarWinds Orion web application.
The purpose of the original DLL is to provide a user-configured logo to web pages in
the Orion web application.
Attackers injected an additional method, DynamicRun(), into the legitimate
SolarWinds’ LogoImageHandler class, which resides in the App_Web_
logoimagehandler.ashx.b6031896.dll.
Security Threat Intelligence Report
15
A legitimate instance of App_Web_logoimagehandler.ashx.b6031896.dll:
A weaponized instance of App_Web_logoimagehandler.ashx.b6031896.dll:
.NET web shells are not uncommon, so SUPERNOVA has the ability to take a valid .NET
program as a parameter. This allows SUPERNOVA to execute the following in memory:
• .NET class
• Methods
• Arguments
• Code data
Therefore, there will be no forensic artifacts written to disk other than the initial
callout to the C2; no other callbacks are required.
The .NET API is embedded in an Orion binary. SUPERNOVA code is compiled on the fly
during normal SolarWinds operations.
According to the Unit 42 researcher in the Palo Alto Networks blog, the implant is a
Trojanized copy of app_web_logoimagehandler.ashx.b6031896.dll.
Security Threat Intelligence Report
16
As mentioned above, this is a proprietary SolarWinds.NET library that exposes an
HTTP API. The endpoint serves to respond to queries for a specific .gif image from
other components of the Orion software stack.
The code added to the .dll is easily missed by defender automation and potentially
could be missed by a manual review. The attackers leveraged the benign file by
adding four new parameters to the API and a malicious method that executes the
parameters in the context of the .NET runtime on the Orion host.
C2 Parameter Purpose
clazz C# Class object name to instantiate
method Method of class clazz to invoke
args Arguments are newline-split and passed
as positional parameters to method
codes .NET assemblies and namespaces for
compilation
Unit 42 advises: “Any ingress traffic to logoimagehandler.ashx with a combination
of these four parameters in any order of the query string [is a] strong indicator of
compromise (IOC). If a detection fires on this combination in any order, please isolate
and image your Orion instance immediately. If the request came internal to the
network, then it is highly probable that the user that initiated the request has also
been compromised.”
Researchers Marco Figueroa, James Haughom and Jim Walter reported on
Malware.news that they had created a proof of concept leveraging the same
CSharpCodeProvider mechanism SUPERNOVA uses for in-memory compilation of
.NET assemblies. They found that during the compilation process, the native .NET-
related utilities CSC.exe and CVTRES.exe are spawned as child processes of the
calling process.
“Passed as arguments to CSC and CVTRES are paths to randomly named temporary
files that are used by these utilities during the compilation process,” according to the
team.
Process tree
1600×78
Process tree with command lines:
- “C:\Users\REM\Desktop\test_compiler.exe”
----- “C:\Windows<a href=“http://microsoft.net/” rel=“noreferrer” target=”_
blank”>Microsoft.NET\Framework64\v4.0.30319\csc.exe” /noconfig /fullpaths @“C:\
Users\REM\AppData\Local\Temp\2aklqpvi.cmdline”
-------------“C:\Windows<a href=“http://microsoft.net/” rel=“noreferrer” target=”_
blank”>Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /
MACHINE:IX86 “/OUT:C:\Users\REM\AppData\Local\Temp\RES23D1.tmp” “c:\Users\
REM\AppData\Local\Temp\CSCF78C0CD1119A4E50AA11E695677D803B.TMP”
Security Threat Intelligence Report
17
The syntax of these command lines is:
CSC:
“C:\Windows\Microsoft.NET\Framework64\<version>\csc.exe” /noconfig /fullpaths
@”C:\Users\<user>\AppData\Local\Temp\<random_string>.cmdline”
CVTRES:
“C:\Windows\Microsoft.NET\Framework64\<version>\cvtres.exe /NOLOGO /
READONLY /MACHINE:IX86
“/OUT:C:\Users\<user>\AppData\Local\Temp\<random_string>.tmp” “c:\
Users\<user>\AppData\Local\Temp\<random_string>.TMP”
This process tree can provide valuable insight into when the SUPERNOVA web shell
is potentially active and receiving commands from C2. This behavior may precede
additional attacker activity on the box, such as lateral movement, spawned processes
or dropped files.
SUPERNOVA indicators of compromise
SolarWinds Orion app_web_logoimagehandler.ashx.b6031896.dll
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
URI
logoimagehandler[.]ashx
HTTP Query String Params
clazz
method
args
codes
SUPERNOVA MITRE ATT&CK TTPs
Input Capture: Credential API Hooking – T1056
Subvert Trust Controls: Code Signing – T1553
Supply Chain Compromise – T1195
Exfiltration – TA0010
Application Layer Protocol – T1071
Dynamic Resolution: Domain Generation Algorithms – T1568.002
Indicator Removal On Host – T1070
Masquerading – T1036
Obfuscated Files or Information – T1027
Process Discovery – T1057
Create or Modify System Process: Windows Service – T1543.003
Security Threat Intelligence Report
18
Remote Services – T1021
System Services: Service Execution – T1568.002
Valid Accounts – T1078
CosmicGale – PowerShell credential theft script
SUPERNOVA web shell is used to download, compile and execute malicious power
shell scripts, dubbed CosmicGale by some researchers.
PowerShell and other scripts used by the attacker, provided by Volexity:
Get a list of users on the Exchange server and their current role using Get-
ManagementRoleAssignment:
C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.
psc1 -Command “Get-ManagementRoleAssignment -GetEffectiveUsers | select
Name,Role,EffectiveUserName,AssignmentMethod,IsValid | ConvertTo-Csv
-NoTypeInformation | % {$_ -replace ‘`n’,’_’} | Out-File C:\temp\1.xml”
Retrieve information about the configured Virtual Directory using Get-
WebServicesVirtualDirectory:
C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1
-Command “Get-WebServicesVirtualDirectory | Format-List”
Lateral Movement
The attacker used PowerShell to create new tasks on remote machines:
$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.
Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(“\
Microsoft\Windows\SoftwareProtectionPlatform”);$task = $folder.
GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.
Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.
Name,$definition,6,”System”,$null,5);echo “Done”
This can also be attempted on a number of machines using schtasks.exe directly. For
example:
C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\
Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\
SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_
name]
Exfiltration
The attacker exfiltrated email data from targeted accounts using the New-
MailboxExportRequest command followed by Get-MailboxExport-Request command.
C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1
-Command “New-MailboxExportRequest -Mailbox [email protected]
-ContentFilter {(Received -ge ’03/01/2020′)} -FilePath ‘\\<MAILSERVER>\c$\temp\b.
pst’”
Security Threat Intelligence Report
19
The attacker created password-protected archives on the victims’ Office Web Apps
(OWA) server so that they could be exfiltrated via a simple HTTP request.
C:\Windows\system32\cmd.exe /C .\7z.exe a -mx9 -r0 -p[33_char_password] “C:\
Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Redir.
png” C:\Temp\b.pst
An example URL for the attacker to collect the exfiltrated data would be:
https://owa.organization.here/owa/auth/Redir.png
On disk, this was located at the following path:
\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
Secondary storage folder observed by Volexity researchers:
\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
Current\themes\resources\
Attackers added their own devices as allowed, using IDs for active sync for a number
of mailboxes using Set-CASMailbox:
C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1
-Command “Set-CASMailbox -Identity <UserID> -ActiveSyncAllowedDeviceIDs @
{add=’XXXXXXXXXXXXX’}”
Attacker cleanup
After successfully exporting mail they wished to steal, the attackers would remove the
evidence of the export request using Remove-MailboxExportRequest:
C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1
-Command “Get-MailboxExportRequest -Mailbox [email protected] | Remove-
MailboxExportRequest -Confirm:$False”
Sources:
Volexity
FireEye
GuidePoint Security
Symantec SUNBURST and RAINDROP
Microsoft Solorigate and SUNBURST/Teardrop and RAINDROP
CISA
Malware.news
Palo Alto Unit 42
Check Point Research
GitHub
SolarWinds
Cisco Talos
InfraGard and Malpedia memberships
Security Threat Intelligence Report
20
Get the insights that matter.www.dxc.technology/optin
About DXC Technology
DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.
©2021 DXC Technology Company. All rights reserved. January 2021
Learn moreThank you for reading the Security Threat Intelligence Report. Learn more about
security trends and insights from DXC Labs | Security.
DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent
potential attack pathways, reduce cyber risk, and improve threat detection and
incident response. Our expert advisory services and 24x7 managed security services
are backed by 3,000+ experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of
specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data
Protection. Learn how DXC can help protect your enterprise in the midst of large-
scale digital change. Visit www.dxc.technology/security.
Stay current on the latest threats at www.dxc.technology/threats.
Security Threat Intelligence Report
