Yara rules to detect SuperNova .net web shell backdoor
rule APT_Webshell_SUPERNOVA_1
{
meta:
author = “FireEye”
description = “SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA.”
reference = “https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html”
date = “2020-12-14”
score = 85
strings:
$compile1 = “CompileAssemblyFromSource”
$compile2 = “CreateCompiler”
$context = “ProcessRequest”
$httpmodule = “IHttpHandler” ascii
$string1 = “clazz”
$string2 = “//NetPerfMon//images//NoLogo.gif” wide
$string3 = “SolarWinds” ascii nocase wide
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and pe.imports(“mscoree.dll”,”_CorDllMain”) and $httpmodule and $context and all of ($compile) and all of ($string)
}
rule APT_Webshell_SUPERNOVA_2
{
meta:
author = “FireEye”
description = “This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).”
reference = “https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html”
date = “2020-12-14”
score = 85
strings:
$dynamic = “DynamicRun”
$solar = “Solarwinds” nocase
$string1 = “codes”
$string2 = “clazz”
$string3 = “method”
$string4 = “args”
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and 3 of ($string*) and $dynamic and $solar
}
SolarWinds advises all Orion Platform customers to upgrade to the latest versions to be protected from not only the SUNBURST vulnerability but the SUPERNOVA malware as well. They dont however mention what dates do they think the compromise happened.
Therefore, for customers who haven’t upgraded their platforms from before the breach happened are left unsure on if they should upgrade their current versions or wait it out to see what else is a broken mess.