{
	"id": "39089620-100d-4cf1-81ce-d2d367cf7b6f",
	"created_at": "2026-04-06T00:06:19.49026Z",
	"updated_at": "2026-04-10T03:21:47.779824Z",
	"deleted_at": null,
	"sha1_hash": "3ce1d1e74cccd5b6c98f824cee6549e371db2276",
	"title": "Detecting Supernova Malware: SolarWinds Continued | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71897,
	"plain_text": "Detecting Supernova Malware: SolarWinds Continued | Splunk\r\nBy Splunk\r\nPublished: 2021-01-04 · Archived: 2026-04-05 13:28:43 UTC\r\nAs organizations were catching their breath and winding down for the holidays, a fascinating twist in the\r\nSolarWinds Orion “Sunburst” intrusions began to appear.\r\nSupernova Timeline\r\nOn December 15, GuidePoint Security posted their analysis of a .NET webshell called “Supernova” that was\r\noriginally disclosed in the initial FireEye investigation. Two days later, Palo Alto Networks followed up with their\r\nanalysis of Supernova. On December 18, Microsoft released a comprehensive report on “Solorigate”, the\r\ncompromised supply chain DLL that was part of the Sunburst intrusion first reported by FireEye. Under the\r\n“Additional Malware Discovered” section, Microsoft calls out the Supernova malware that was uncovered during\r\ntheir research, as well as the hypothesis that because the malware does not conform to the other aspects of the\r\nSunburst attack, Supernova may have originated from another APT group!\r\nOn December 24, SolarWinds released its first Security Advisory that included both Sunburst and Supernova. This\r\nadvisory has been updated multiple times since then as new information has been made available. Supernova,\r\nSolarWinds clarified, appeared to be separate from the Sunburst attack and the malware leveraged a vulnerability\r\nfound in the Orion platform. This new vulnerability and associated malware allows adversaries another method of\r\naccess. DHS CISA has updated their initial guidance to include this new vector.\r\nBased on this newly released research (and this really is the Reader’s Digest version, believe me), we are going to\r\ntake a look at Supernova – what it is and how it is leveraged. We will also take a look at various detection\r\nmethods, using data models and SPL that can identify an adversary leveraging this attack vector.\r\nWhat Is Supernova?\r\nSupernova was originally identified during the analysis of Sunburst, the SolarWinds Orion intrusions. During this\r\ninitial analysis, Supernova Yara rules were created alongside other elements of Sunburst because it was initially\r\nassumed to be part of the same intrusion. Based on the new hypothesis that Supernova is distinct from Sunburst,\r\nFireEye removed the Yara rules from their GitHub repo but the original rules are still accessible.\r\nSupernova leverages what was a zero-day vulnerability to install a trojanized .NET DLL. It is important to note\r\nthat this DLL is not digitally signed like the Sunburst DLL was, which is one of the reasons multiple researchers\r\nbelieve that this is a different threat actor using a vulnerability to load their malicious code to vulnerable systems.\r\nThe malware that is loaded is a web shell. This MITRE ATT\u0026CK technique, T1505, is used by adversaries to\r\nbackdoor web servers and establish persistent access to systems. For a deeper dive, here is a nice primer of web\r\nshells by Acunetix. Go ahead, I will wait. What makes this web shell extra nasty is that it is built to run in-memory\r\nhttps://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html\r\nPage 1 of 5\n\nwhich makes it more difficult for detection and forensic analysts to do additional analysis post-breach. Notice I\r\nsaid more difficult, but not impossible.\r\nWhat Can I Do?\r\nSolarWinds has continued to update their security advisory that lays out both the Sunburst AND Supernova issues\r\nand which versions of their software are impacted. Patches are available for both issues. In fact, depending on the\r\npatch applied, both Sunburst and Supernova can be mitigated at the same time!\r\nHow Can I Detect Supernova In My Environment?\r\nIf you have read this far, you have a foundational understanding that Supernova and Sunburst are separate issues\r\nand you are likely looking to take some action. Here are some detections that may be useful to you in your\r\nenvironment.\r\nReaders of this blog may be using Splunk Enterprise or Splunk Enterprise Security. While anyone can use data\r\nmodels, I recognize that not everyone does. With that in mind, the detections below are provided in SPL, as well\r\nas using data models and the tstats command. Using the tstats command will provide a better overall search\r\nperformance. If you are not using data models, the SPL search should still be helpful because the search criteria\r\nstill applies. However, the field names may be different based on the sourcetypes in your environment compared\r\nto the examples below.\r\nThese are somewhat broad searches as they stand but can be refined further based on IP address or other attributes.\r\nGood asset management will help isolate systems to search against. If you are not using tstats and data models for\r\nyour searches and just want to use SPL, don’t forget to use index=\u003cinsert index names\u003e to narrow down the\r\nsearch to only indexes that contain the applicable events.\r\nCERT/CC issued a new SolarWinds Orion API vulnerability alert on December 26th. Assuming you have a recent\r\nvulnerability scan with this latest alert added and you are ingesting vulnerability scanning data into Splunk and\r\npopulating the vulnerability data model, this search could potentially uncover vulnerable systems.\r\n| tstats count from datamodel=Vulnerabilities.Vulnerabilities where\r\nVulnerabilities.cert=VU#843464 OR Vulnerabilities.cert=843464 OR\r\nVulnerabilities.cve=CVE-2020-10148 groupby Vulnerabilities.dest\r\nVulnerabilities.dvc Vulnerabilities.signature Vulnerabilities.vendor_product _time span=1s\r\nThe SPL search will be dependent on the event source, whether that is Nessus, Qualys or others, but it could be as\r\nsimple as this, provided the vulnerability vendor utilizes CERT/CC or CVE.\r\nindex=\u003cindex where vulnerability data is stored\u003e\r\nsourcetype=\u003cvulnerability scanner\u003e (VU#843464 OR 843464 OR CVE-2020-10148)\r\nThe footprint of this intrusion is limited due to the absence of the web shell existing on disk, but file hashes do\r\nexist for the trojanized .NET DLL. VirusTotal currently has 59 engines detecting it. Signature names are available\r\nhttps://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html\r\nPage 2 of 5\n\nto search against as well, but they will vary based on your anti-virus vendor.\r\nDepending on how you are identifying file system events, the following search may allow you to identify if the\r\nfile hashes associated with the trojanized DLL have been written to disk. Note that this will be dependent on the\r\nevents collected being written to the Endpoint data model.\r\n| tstats count from datamodel=Endpoint.Filesystem where\r\nFilesystem.file_name=*logoimagehandler.ashx* OR\r\nFilesystem.file_hash=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nOR Filesystem.file_hash=75af292f34789a1c782ea36c7127bf6106f595e8 OR\r\nFilesystem.file_hash=56ceb6d0011d87b6e4d7023d7ef85676 groupby\r\nFilesystem.file_name Filesystem.file_path Filesystem.dest\r\nFilesystem.file_hash Filesystem.vendor_product Filesystem.user _time span=1s\r\nFor those running Sysmon, searching for EventCode 11 (FileCreate) can also be helpful to determine if and when\r\nthe DLL was written to disk.\r\nindex=\u003cindex where endpoint data is stored\u003e\r\nsourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=11\r\nfile_name=*logoimagehandler.ashx*\r\n| table _time host Image Computer TargetFilename\r\nAt the very least, a search for these three hashes (SHA256, SHA1 and MD5) will provide a place to start to\r\ndetermine if the malware exists on your Solarwinds Orion systems.\r\nSHA256: C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nSHA1: 75af292f34789a1c782ea36c7127bf6106f595e8\r\nMD5: 56ceb6d0011d87b6e4d7023d7ef85676\r\nIf you are looking for DLLs being loaded in a specific process, Sysmon Event Code 7 (Image loaded) can also be\r\nused to look for the trojanized .NET DLL being invoked.\r\nindex=\u003cindex where endpoint data is stored\u003e\r\nsourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=7\r\n(file_name=*logoimagehandler.ashx* OR\r\nSHA256=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 OR\r\nSHA1=75af292f34789a1c782ea36c7127bf6106f595e8 OR\r\nMD5=56ceb6d0011d87b6e4d7023d7ef85676)\r\n| table _time Image ImageLoaded Computer\r\nSentinelOne also released a blog where they developed a proof of concept that used the same technique that\r\nSupernova uses for in-memory compilation of .NET. They identified that CSC.exe and CVTRES.exe are created\r\nas child processes during execution. Please keep in mind this is a tactic to hunt, not to deploy as a signature with\r\nyour SIEM. Because many .NET apps can do this, I want to caution that this is not an indicator of compromise\r\nhttps://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html\r\nPage 3 of 5\n\nbut, it may be worth the time to run a search that looks something like this to determine if .NET assemblies are\r\nbeing compiled and then hunt for additional actions occurring immediately after this behavior on vulnerable\r\nsystems.\r\n| tstats count from datamodel=Endpoint.Processes where\r\nProcesses.process_exec=cvtres.exe Processes.parent_process_exec=csc.exe\r\ngroupby Processes.process_exec Processes.process_id Processes.process\r\nProcesses.parent_process_exec Processes.parent_process\r\nProcesses.parent_process_id Processes.dest Processes.user\r\nProcesses.vendor_product _time span=1s\r\nindex=\u003cindex where endpoint data is stored\u003e\r\nsourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=1\r\nCommandLine=*cvtres.exe* ParentCommandLine=*csc.exe*\r\n| table _time CommandLine ParentCommandLine User host ProcessId ParentProcessId\r\nBecause the web shell exists in memory, the best opportunity to see this will be found in events like web or\r\nnetwork traffic events. Guidepoint’s blog provides some pseudo query that can be adapted to be used with Stream\r\nfor Splunk or Bro/Zeek or other data sets that contain information around http and URI filenames and parameters.\r\nEven in the absence of endpoint data, if web or network traffic data exists, searches like these could be used as a\r\nstarting point. As previously mentioned, if you are not using Splunk for Stream, the SPL can be adapted to your\r\nspecific data source.\r\n| tstats count from datamodel=Web.Web where\r\nweb.url=*logoimagehandler.ashx*codes* OR\r\nWeb.url=*logoimagehandler.ashx*clazz* OR\r\nWeb.url=*logoimagehandler.ashx*method* OR\r\nWeb.url=*logoimagehandler.ashx*args* groupby Web.src Web.dest Web.url\r\nWeb.vendor_product Web.user Web.http_user_agent _time span=1s\r\nindex=\u003cindex where network/web data is stored\u003e sourcetype=stream:http\r\n(url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz*\r\nOR Web.url=*logoimagehandler.ashx*method* OR\r\nWeb.url=*logoimagehandler.ashx*args*)\r\n| table _time src_ip src_port dest_ip dest_port url transport status\r\n| tstats count from datamodel=Web.Web where Web.http_content_type=text/plain\r\nWeb.dest=(insert your SolarWinds IP here, we are looking for inbound traffic)\r\nWeb.url=*logoimagehandler.ashx* groupby Web.src Web.dest Web.url\r\nWeb.vendor_product Web.user Web.http_user_agent _time span=1s\r\nhttps://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html\r\nPage 4 of 5\n\nindex=\u003cindex where network/web data is stored\u003e sourcetype=stream:http\r\ndest_ip=(insert your SolarWinds IP here, we are looking for inbound traffic)\r\nurl=*logoimagehandler.ashx*\r\n| table _time src_ip src_port dest_ip dest_port url transport status\r\nI recognize that dealing with another vulnerability and its associated malicious code so soon after Sunburst is\r\nprobably not the way anyone wanted to wrap up the year and start a new one but hopefully, this provides a way\r\nforward to jump-start your detections as your organization patches its vulnerable SolarWinds systems.\r\n----------------------------------------------------\r\nThanks!\r\nJohn Stoner\r\nSource: https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html\r\nhttps://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html\r\nPage 5 of 5\n\nsimple as this, index=\u003cindex provided the where vulnerability vulnerability vendor data is utilizes stored\u003e CERT/CC or CVE.  \nsourcetype=\u003cvulnerability  scanner\u003e (VU#843464 OR 843464 OR CVe-2020-10148)   \nThe footprint of this intrusion is limited due to the absence of the web shell existing on disk, but file hashes do\nexist for the trojanized .NET DLL. VirusTotal currently has 59 engines detecting it. Signature names are available\n   Page 2 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html"
	],
	"report_names": [
		"detecting-supernova-malware-solarwinds-continued.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433979,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ce1d1e74cccd5b6c98f824cee6549e371db2276.pdf",
		"text": "https://archive.orkl.eu/3ce1d1e74cccd5b6c98f824cee6549e371db2276.txt",
		"img": "https://archive.orkl.eu/3ce1d1e74cccd5b6c98f824cee6549e371db2276.jpg"
	}
}