As the probe into the SolarWinds supply chain attack continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider’s Orion software to drop a similar persistent backdoor on target systems.
“The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” Microsoft 365 research team said on Friday in a post detailing the Sunburst malware.
What makes the newly revealed malware, dubbed “Supernova,” different is that unlike the Sunburst DLL, Supernova (“app_web_logoimagehandler.ashx.b6031896.dll”) is not signed with a legitimate SolarWinds digital certificate, signalling that the compromise may be unrelated to the previously disclosed supply chain attack.
In a standalone write-up, researchers from Palo Alto Networks said the Supernova malware is compiled and executed in-memory, permitting the attacker to bypass endpoint detection and response (EDR) systems and “deploy full-featured – and presumably sophisticated – .NET programs in reconnaissance, lateral movement and other attack phases.”
images from Hacker News